Russian Lab Uncovers NT System Driver Virus

A Moscow-based laboratory discovered yesterday a virus that infiltrates the highest security level in Windows NT systems.

Kaspersky Lab ( considers the WinNT.Infis virus the first virus that acts as a Windows NT system driver, which makes it very difficult to detect and remove the virus from computer memory.

Infis is a file memory resident virus operating under Windows NT 4.0 with Service Packs 2 through 6 installed. But it does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT.

The main infection indicator is the inability to run some programs. For example, mspaint.exe, calc.exe, or cdplayer.exe. Another indicator of virus presence is the INF.SYS file in /WinNT/System32/Drivers folder.

When an infected file is run, the virus copies its body to the INF.SYS file in Windows NT drivers folder WinNT\System32\Drivers. Then it creates a key with three sections in Windows system registry.

As a result, the virus in INF.SYS file is activated every time the operating system boots, and the virus launches a subroutine for infecting Windows NT memory. When the virus completes its installation in the memory it takes control over Windows NT internal undocumented functions. The virus intercepts file opening, check file's names and their internal format and then calls the infection subroutine.

In order for Windows NT to start properly, the infected files need to be removed and the changes to Windows Registry must be corrected.

Infis virus infects only Portable Executable files except CMD.EXE (Windows NT command processor). When infecting it increases the file length with the length of its "pure code" -- 4,608 bytes. The virus avoids repeated file infection.

Infis does not carry any destructive payload. It contains errors, however, that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message.

Unlike the destructive and crippling viruses that have plagued the industry in the past year -- most notably Melissa and Remote Explorer -- Infis does not spread itself via the Internet. -- Thomas Sullivan

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus