New NT-Specific Infis Virus

Learn about WinNT.Infis, a unique Windows NT-specific virus, and see just how much of a threat it is to your systems.

C. Thi Nguyen

October 10, 1999

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Two antivirus companies recently announced the discovery of WinNT.Infis, a unique Windows NT-specific virus. According to a Central Command spokesperson, the virus “is the world's first computer virus, found ‘in-the-wild,’ that integrates into the highest security level of the Windows NT OS.” The virus infects NT 4.0 with Service Pack 2 (SP2) through SP 6 (now in late beta). The virus doesn't effect systems running Windows 9x or Windows 2000 (Win2K). Central Command and Kaspersky Lab of Russia both discovered the virus after it infected a Russian company. Central Command, makers of AntiVirus Pro, has updated its product to protect against the Infis virus.Keith Peer, Central Command president, said that WinNT.Infis is unique because it acts as a Windows driver. “It [The virus] goes memory resident,” said Peer. “The virus bypasses [NT’s] security. It doesn’t matter who logs in—an administrator or a user--it's the first virus to do this.”Because the virus operates as a driver, NT automatically loads it before the OS engages any security precautions. More problematic, said Peer, is that the virus is difficult to clear because NT systems don’t have a boot disk. According to Peer, Central Command engineers had to disable the driver by reverse-engineering the virus.The danger from the virus is quite low. Central Command is aware of only one incidence of infection (i.e., the infection at a Russian company mentioned previously). Although the virus has no destructive payload, it corrupts certain files and causes applications such as Microsoft Paint and the Calculator applet to crash. However, WinNT.Infis does point out a new security hole in NT 4.0 and a new technique that might lead to the construction of other, more destructive viruses.“This virus doesn't demonstrate any security vulnerabilities in Windows NT,” said a Microsoft spokesperson. “It uses normal system functions, albeit for a malicious purpose. The newly identified virus doesn't have a destructive payload. What's new about the virus is the technique that the virus uses for hiding from virus scanners. This technique had been previously theorized, and antivirus vendors were already working to counter it even before this virus was discovered. Microsoft has been working closely with them in this effort.”A spokesperson for Central Command added, “At least two antivirus vendors have developed scanners that can detect this virus, and others certainly will follow.” You can visit the Central Command site at http://www.avp.com.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like