Russian Lab Uncovers NT System Driver Virus
- By Scott Bekker
- October 08, 1999
A Moscow-based laboratory discovered yesterday a virus that infiltrates the highest security level in Windows NT systems.
Kaspersky Lab (www.avp.ru) considers the WinNT.Infis virus the first virus that acts as a Windows NT system driver, which makes it very difficult to detect and remove the virus from computer memory.
Infis is a file memory resident virus operating under Windows NT 4.0 with Service Packs 2 through 6 installed. But it does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT.
The main infection indicator is the inability to run some programs. For example, mspaint.exe, calc.exe, or cdplayer.exe. Another indicator of virus presence is the INF.SYS file in /WinNT/System32/Drivers folder.
When an infected file is run, the virus copies its body to the INF.SYS file in Windows NT drivers folder WinNT\System32\Drivers. Then it creates a key with three sections in Windows system registry.
As a result, the virus in INF.SYS file is activated every time the operating system boots, and the virus launches a subroutine for infecting Windows NT memory. When the virus completes its installation in the memory it takes control over Windows NT internal undocumented functions. The virus intercepts file opening, check file's names and their internal format and then calls the infection subroutine.
In order for Windows NT to start properly, the infected files need to be removed and the changes to Windows Registry must be corrected.
Infis virus infects only Portable Executable files except CMD.EXE (Windows NT command processor). When infecting it increases the file length with the length of its "pure code" -- 4,608 bytes. The virus avoids repeated file infection.
Infis does not carry any destructive payload. It contains errors, however, that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message.
Unlike the destructive and crippling viruses that have plagued the industry in the past year -- most notably Melissa and Remote Explorer -- Infis does not spread itself via the Internet. -- Thomas Sullivan
Scott Bekker is editor in chief of Redmond Channel Partner magazine.