Ninja Virus

Virus Name: Ninja Aliases: V Status: Rare Discovered: October, 1992 Symptoms: .COM & .EXE file growth; decrease in total system & available free memory Origin: USSR Eff Length: 1,546 - 1,634 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NProt, AVTK/N, LProt, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Ninja virus was submitted in October, 1992. It is originally from the USSR. Ninja is a memory resident infector of .COM and .EXE programs, but not COMMAND.COM. It spreads quickly, infecting programs when they are executed or opened for any reason. The first time a program infected with the Ninja virus is executed, the Ninja virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,408 bytes. Interrupt 21 will be hooked by Ninja in memory. Once memory resident, the Ninja virus will infect .COM and .EXE programs when they are executed or opened for any reason. Infected .COM programs will have a file length increase of 1,634 bytes. .EXE programs will increase in size by 1,548 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code, and thus not visible in infected programs: "COMMAND.COM AIDSTEST.EXE .COM .EXE" "Mutant Ninja Version 2.0 (C) 1990,91 Virus&Worm Software" It is unknown what Ninja may do besides replicate.