Russian Lab Uncovers NT System Driver Virus

A Moscow-based laboratory discovered yesterday a virus that infiltrates the highest security level in Windows NT systems.

Kaspersky Lab ( considers the WinNT.Infis virus the first virus that acts as a Windows NT system driver, which makes it very difficult to detect and remove the virus from computer memory.

Infis is a file memory resident virus operating under Windows NT 4.0 with Service Packs 2 through 6 installed. But it does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT.

The main infection indicator is the inability to run some programs. For example, mspaint.exe, calc.exe, or cdplayer.exe. Another indicator of virus presence is the INF.SYS file in /WinNT/System32/Drivers folder.

When an infected file is run, the virus copies its body to the INF.SYS file in Windows NT drivers folder WinNT\System32\Drivers. Then it creates a key with three sections in Windows system registry.

As a result, the virus in INF.SYS file is activated every time the operating system boots, and the virus launches a subroutine for infecting Windows NT memory. When the virus completes its installation in the memory it takes control over Windows NT internal undocumented functions. The virus intercepts file opening, check file's names and their internal format and then calls the infection subroutine.

In order for Windows NT to start properly, the infected files need to be removed and the changes to Windows Registry must be corrected.

Infis virus infects only Portable Executable files except CMD.EXE (Windows NT command processor). When infecting it increases the file length with the length of its "pure code" -- 4,608 bytes. The virus avoids repeated file infection.

Infis does not carry any destructive payload. It contains errors, however, that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message.

Unlike the destructive and crippling viruses that have plagued the industry in the past year -- most notably Melissa and Remote Explorer -- Infis does not spread itself via the Internet. -- Thomas Sullivan

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.