MultiFace Virus

WildTech · January 13th, 2001, 12:31 PM

Hey gang,

Has anyone out there had any success removing and repairing the damage done by the Multiface Virus. I can find very little info on this particular virus on the web. Thanks

------------------

WildTech
MasterMind Computers ... Bring your PC to the Master!!

[This message has been edited by WildTech (edited January 13, 2001).]

January 13th, 2001, 05:10 PM

Don't know if you had this info or not

(from norton)

MultiFace
Aliases: Face, Mface, Multi-Face
Infection length: 1,441 bytes
Area of infection: .SYS files, .COM files, .EXE files
Likelihood: Common
Region reported: U.S.A.
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None

Description:
MultiFace is a virus that infects the first .SYS file in the CONFIG.SYS file of the COMSPEC directory. The next time the user boots the infected computer, the virus goes active in memory and begins infecting .EXE and .COM files. MultiFace changes the infected program’s time and date stamp to the date and time of infection.

When active, MultiFace has been known to display multiple smiley faces on the screen. Running .COM files from a write-protected floppy disk may result in write-protect error messages.

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH

January 13th, 2001, 05:19 PM

McAfee too:

Virus Name
Multi-Face
Date Added
1/15/92

Virus Characteristics
Multi-Face is a memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.
Upon infection, this virus becomes memory resident in low available system memory. Interrupts 08, 13, and 21 are hooked by the Multi-Face virus in memory.

After the Multi-Face virus is memory resident, it infects .COM files.

Additional Comments:
The Multi-Face virus was submitted in January, 1992. Its origin or point of original isolation is unknown. Multi-Face is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Multi-Face virus is executed, this virus will install itself memory resident in low available system memory. Memory mapping utilities may indicate that the Config area of memory has increased in size by 1,456 bytes. The DOS CHKDSK program will indicate that available free memory has decreased by approximately 64K in addition to the 1,456 bytes in size by the virus. Interrupts 08, 13, and 21 will be hooked by the Multi-Face virus in memory. After the Multi-Face virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,441 bytes with the virus being located at the end of the infected file. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. Symptoms of an infection of the Multi-Face virus are that a minor system slowdown will have occurred. The slowdown is most noticable when the system display is scrolled. .COM program date and time in the DOS disk directory listing will have been updated when programs are executed if the system date is different from the program date. Write protect errors will occur when attempting to execute .COM programs on write protected diskettes. Lastly, multiple smiley face characters may appear on the system display, moving around the other characters on the screen.

Indications Of Infection
Memory decreases by approximately 64K in addition to the 1,456 bytes in size by the virus. Infected files have a file length increase of 1,441 bytes. The virus is located at the end of the infected file. The file's date and time in the DOS disk directory listing are updated to the current system date and time.

Symptoms of an infection of the Multi-Face virus are that a minor system slowdowns occur.

Method Of Infection
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH

WildTech · January 13th, 2001, 07:04 PM

Yeah, I saw those already but thanks for the effort.

I was hoping someone knew of a magic wand fix I could use to get rid of it. Looks like a reformat to me.......hehe

------------------

WildTech
MasterMind Computers ... Bring your PC to the Master!!

January 13th, 2001, 12:31 PM	#1
WildTech Registered User Join Date: Apr 1999 Location: Indiana Posts: 397	MultiFace Virus Hey gang, Has anyone out there had any success removing and repairing the damage done by the Multiface Virus. I can find very little info on this particular virus on the web. Thanks ------------------ WildTech MasterMind Computers ... Bring your PC to the Master!! [This message has been edited by WildTech (edited January 13, 2001).] __________________ WildTech Unless your the lead dog, the view never changes!

January 13th, 2001, 07:04 PM	#4
WildTech Registered User Join Date: Apr 1999 Location: Indiana Posts: 397	Yeah, I saw those already but thanks for the effort. I was hoping someone knew of a magic wand fix I could use to get rid of it. Looks like a reformat to me.......hehe ------------------ WildTech MasterMind Computers ... Bring your PC to the Master!! __________________ WildTech Unless your the lead dog, the view never changes!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

January 13th, 2001, 05:10 PM	#2
furlong47 Guest Posts: n/a	Don't know if you had this info or not (from norton) MultiFace Aliases: Face, Mface, Multi-Face Infection length: 1,441 bytes Area of infection: .SYS files, .COM files, .EXE files Likelihood: Common Region reported: U.S.A. Characteristics: Wild, memory resident Target platform: DOS Trigger date: None Description: MultiFace is a virus that infects the first .SYS file in the CONFIG.SYS file of the COMSPEC directory. The next time the user boots the infected computer, the virus goes active in memory and begins infecting .EXE and .COM files. MultiFace changes the infected program’s time and date stamp to the date and time of infection. When active, MultiFace has been known to display multiple smiley faces on the screen. Running .COM files from a write-protected floppy disk may result in write-protect error messages. ------------------ "640 K ought to be enough for anybody." --Bill Gates, 1981 Amateur Radio Callsign KB3FHH

January 13th, 2001, 05:19 PM	#3
furlong47 Guest Posts: n/a	McAfee too: Virus Name Multi-Face Date Added 1/15/92 Virus Characteristics Multi-Face is a memory resident, file infecting virus. It infects .COM files, including COMMAND.COM. Upon infection, this virus becomes memory resident in low available system memory. Interrupts 08, 13, and 21 are hooked by the Multi-Face virus in memory. After the Multi-Face virus is memory resident, it infects .COM files. Additional Comments: The Multi-Face virus was submitted in January, 1992. Its origin or point of original isolation is unknown. Multi-Face is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Multi-Face virus is executed, this virus will install itself memory resident in low available system memory. Memory mapping utilities may indicate that the Config area of memory has increased in size by 1,456 bytes. The DOS CHKDSK program will indicate that available free memory has decreased by approximately 64K in addition to the 1,456 bytes in size by the virus. Interrupts 08, 13, and 21 will be hooked by the Multi-Face virus in memory. After the Multi-Face virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,441 bytes with the virus being located at the end of the infected file. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. Symptoms of an infection of the Multi-Face virus are that a minor system slowdown will have occurred. The slowdown is most noticable when the system display is scrolled. .COM program date and time in the DOS disk directory listing will have been updated when programs are executed if the system date is different from the program date. Write protect errors will occur when attempting to execute .COM programs on write protected diskettes. Lastly, multiple smiley face characters may appear on the system display, moving around the other characters on the screen. Indications Of Infection Memory decreases by approximately 64K in addition to the 1,456 bytes in size by the virus. Infected files have a file length increase of 1,441 bytes. The virus is located at the end of the infected file. The file's date and time in the DOS disk directory listing are updated to the current system date and time. Symptoms of an infection of the Multi-Face virus are that a minor system slowdowns occur. Method Of Infection The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate. ------------------ "640 K ought to be enough for anybody." --Bill Gates, 1981 Amateur Radio Callsign KB3FHH