Details
Multiani

This is a dangerous memory resident boot virus. It hooks INT 13h and writes itself to boot sectors of the floppy disks and to the first boot sector of the hard drive. While infecting a sector, the virus patches the code of the standard boot routine in the boot sector. The virus writes, to the beginning of that routine, the JMP instruction, and writes the virus loader (37h bytes) to the area of the system error messages at the offset 01A4h. Then the virus writes its main code to the last sector of the root directory.
While loading from such a sector, the standard boot routine is interrupted by the patched code; the virus loader receives the control, reads the main virus code, hooks INT 13h, and returns control to the standard boot routine.
This way of infection corrupts the code of the not-MS-DOS boot sectors, and the system halts while loading from the infected disk.
In December the virus displays the following message:
La multi ani !

The virus also contains the following text strings, the second string is encrypted:
SoSo3
! ina itlum aL

Related Posts

This entry was posted on Sunday, September 30th, 2007 at 11:50 pm and is filed under Virus Threats.