News

Russian Lab Uncovers NT System Driver Virus

A Moscow-based laboratory discovered yesterday a virus that infiltrates the highest security level in Windows NT systems.

Kaspersky Lab (www.avp.ru) considers the WinNT.Infis virus the first virus that acts as a Windows NT system driver, which makes it very difficult to detect and remove the virus from computer memory.

Infis is a file memory resident virus operating under Windows NT 4.0 with Service Packs 2 through 6 installed. But it does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT.

The main infection indicator is the inability to run some programs. For example, mspaint.exe, calc.exe, or cdplayer.exe. Another indicator of virus presence is the INF.SYS file in /WinNT/System32/Drivers folder.

When an infected file is run, the virus copies its body to the INF.SYS file in Windows NT drivers folder WinNT\System32\Drivers. Then it creates a key with three sections in Windows system registry.

As a result, the virus in INF.SYS file is activated every time the operating system boots, and the virus launches a subroutine for infecting Windows NT memory. When the virus completes its installation in the memory it takes control over Windows NT internal undocumented functions. The virus intercepts file opening, check file's names and their internal format and then calls the infection subroutine.

In order for Windows NT to start properly, the infected files need to be removed and the changes to Windows Registry must be corrected.

Infis virus infects only Portable Executable files except CMD.EXE (Windows NT command processor). When infecting it increases the file length with the length of its "pure code" -- 4,608 bytes. The virus avoids repeated file infection.

Infis does not carry any destructive payload. It contains errors, however, that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message.

Unlike the destructive and crippling viruses that have plagued the industry in the past year -- most notably Melissa and Remote Explorer -- Infis does not spread itself via the Internet. -- Thomas Sullivan

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Starts Countdown to Dynamics GP End-of-Support

    Dynamics GP, Microsoft's venerable enterprise resource planning (ERP) solution for midsized businesses, is set to lose support in four years.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Windows Recall Preview Starts Rolling Out with Windows 11 24H2

    Microsoft on Tuesday began rolling out Windows 11 version 24H2, describing the update as a "full OS swap that contains new foundational elements required to deliver transformational Al experiences and exceptional performance."

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.