Details
SayNay Family

These are not dangerous nonmemory resident parasitic viruses. They search for .COM files, then write themselves to the end of the file.
These viruses drop their source assembler code into ASM file. To do that the viruses contain this source code in their bodies in encrypted form, and that is why the length of the virus is more than 5K.
To drop that code the virus checks the command line for “NAY” argument. If that argument is found, the virus displays the message:
Magic!

and creates the SAYNAY.ASM and SAYNAY.BAT files. Then the virus writes the source code to the SAYNAY.ASM file, and writes the strings:
TAsm /M2 SayNay.Asm
TLink /T SayNay.Obj
Copy /B SayNay.Com+SayNay.Asm

to the SAYNAY.BAT file. As a result there are two files - the former contains virus’ source texts, and the letter contains instructions how to compile the source text and build the virus. Being executed BAT file runs Assembler and Linker to make the “intermediate” virus code that contains the binary code, but not the source text. Then the virus appends the source text to binary code by COPY command, and the result file contains the virus with its source text in not encrypted form. Being executed the virus encrypts that source text, searches and infects .COM files.

Related Posts

This entry was posted on Friday, January 18th, 2008 at 2:50 pm and is filed under Virus Threats.