Virus Name: Ninja
V Status: Rare
Discovered: October, 1992
Symptoms: .COM & .EXE file growth; decrease in total system & available
Eff Length: 1,546 - 1,634 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, LProt, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Ninja virus was submitted in October, 1992. It is originally
from the USSR. Ninja is a memory resident infector of .COM and
.EXE programs, but not COMMAND.COM. It spreads quickly, infecting
programs when they are executed or opened for any reason.
The first time a program infected with the Ninja virus is executed,
the Ninja virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 1,408 bytes. Interrupt 21 will be hooked by
Ninja in memory.
Once memory resident, the Ninja virus will infect .COM and .EXE
programs when they are executed or opened for any reason. Infected
.COM programs will have a file length increase of 1,634 bytes. .EXE
programs will increase in size by 1,548 bytes. In both cases, the
virus will be located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code, and thus
not visible in infected programs:
"COMMAND.COM AIDSTEST.EXE .COM .EXE"
"Mutant Ninja Version 2.0 (C) 1990,91 Virus&Worm Software"
It is unknown what Ninja may do besides replicate.