MultiFace Virus

Printable View

January 13th, 2001, 01:31 PM
WildTech

MultiFace Virus

Hey gang,

Has anyone out there had any success removing and repairing the damage done by the Multiface Virus. I can find very little info on this particular virus on the web. Thanks https://forums.windrivers.com/

------------------
https://forums.windrivers.com/
WildTech
MasterMind Computers ... Bring your PC to the Master!!

[This message has been edited by WildTech (edited January 13, 2001).]
January 13th, 2001, 06:10 PM
furlong47

Don't know if you had this info or not https://forums.windrivers.com/ (from norton)

MultiFace
Aliases: Face, Mface, Multi-Face
Infection length: 1,441 bytes
Area of infection: .SYS files, .COM files, .EXE files
Likelihood: Common
Region reported: U.S.A.
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None

Description:
MultiFace is a virus that infects the first .SYS file in the CONFIG.SYS file of the COMSPEC directory. The next time the user boots the infected computer, the virus goes active in memory and begins infecting .EXE and .COM files. MultiFace changes the infected program’s time and date stamp to the date and time of infection.

When active, MultiFace has been known to display multiple smiley faces on the screen. Running .COM files from a write-protected floppy disk may result in write-protect error messages.

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH
January 13th, 2001, 06:19 PM
furlong47

McAfee too:

Virus Name
Multi-Face
Date Added
1/15/92

Virus Characteristics
Multi-Face is a memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.
Upon infection, this virus becomes memory resident in low available system memory. Interrupts 08, 13, and 21 are hooked by the Multi-Face virus in memory.

After the Multi-Face virus is memory resident, it infects .COM files.

Additional Comments:
The Multi-Face virus was submitted in January, 1992. Its origin or point of original isolation is unknown. Multi-Face is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Multi-Face virus is executed, this virus will install itself memory resident in low available system memory. Memory mapping utilities may indicate that the Config area of memory has increased in size by 1,456 bytes. The DOS CHKDSK program will indicate that available free memory has decreased by approximately 64K in addition to the 1,456 bytes in size by the virus. Interrupts 08, 13, and 21 will be hooked by the Multi-Face virus in memory. After the Multi-Face virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,441 bytes with the virus being located at the end of the infected file. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. Symptoms of an infection of the Multi-Face virus are that a minor system slowdown will have occurred. The slowdown is most noticable when the system display is scrolled. .COM program date and time in the DOS disk directory listing will have been updated when programs are executed if the system date is different from the program date. Write protect errors will occur when attempting to execute .COM programs on write protected diskettes. Lastly, multiple smiley face characters may appear on the system display, moving around the other characters on the screen.

Indications Of Infection
Memory decreases by approximately 64K in addition to the 1,456 bytes in size by the virus. Infected files have a file length increase of 1,441 bytes. The virus is located at the end of the infected file. The file's date and time in the DOS disk directory listing are updated to the current system date and time.

Symptoms of an infection of the Multi-Face virus are that a minor system slowdowns occur.

Method Of Infection
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH
January 13th, 2001, 08:04 PM
WildTech

Yeah, I saw those already but thanks for the effort. https://forums.windrivers.com/ I was hoping someone knew of a magic wand fix I could use to get rid of it. Looks like a reformat to me.......hehe https://forums.windrivers.com/

------------------
:)
WildTech
MasterMind Computers ... Bring your PC to the Master!!