COMMAND

    virus

SYSTEMS AFFECTED

    Windows NT

PROBLEM

    Kaspersky Lab, a world leader in anti-virus software  technologies
    announces the discovery of the world's first computer virus,  that
    integrates in the highest  security level of Windows  NT operating
    system.  This is  a first virus that  acts as a Windows  NT system
    driver (and  as such,  this is  why is  in this bugware database).
    It  makes  very  difficult  to  detect  and  remove the virus from
    computer memory.  WinNT.Infis  virus has been found  "in-the-wild"
    on October, 7 by Kaspersky Lab's anti-virus experts.

    "Infis" is a  file memory resident  virus operating under  Windows
    NT 4.0 with Service  Packs 2, 3, 4,  5, 6 installed.   It does not
    affect  systems  running  Windows  95/98,  Windows  2000  or other
    versions of Windows NT.

    The  main  infection  indicator  is  impossibility  to  run   some
    programs.  For  example, MSPAINT.EXE, CALC.EXE,  CDPLAYER.EXE etc.
    Because  of  errors  the  virus  corrupts some file when infecting
    them.   Another indicator  of virus  presence is  INF.SYS file  in
    /WinNT/System32/Drivers folder.

    Upon running  of an  infected file  the virus  copies its  body to
    INF.SYS file in Windows NT drivers folder  WinNT\System32\Drivers.
    Then  it  creates  a  key  with  three  sections in Windows system
    registry:

        \Registry\Machine\System\CurrentControlSet\Services\inf
          Type = 1          - standard Windows NT driver
          Start = 2         - driver start mode
          ErrorControl = 1  - continue system loading on error in driver

    As a result the virus in INF.SYS file is activated every time  the
    operating system starts.  When INF.SYS file is activated the virus
    launches a subroutine for infecting  Windows NT memory.  When  the
    virus completes its  installation in the  memory it takes  control
    over  Windows  NT  internal  undocumented  functions.   The  virus
    intercepts file  opening, check  file's names  and their  internal
    format and then calls the infection subroutine.

    The "Infis" virus infects only PE (Portable Executable)  EXE-files
    except CMD.EXE (Windows NT command processor).  When infecting  it
    increases the  file length  with the  length of  its "pure code" -
    4608  bytes.   The  virus  avoids  repeated  file  infection.   It
    recognizes  already  infected  files  by  "date  and  time" stamp,
    prevously changed to -1 (FFFFFFFFh) value.

    The "Infis" does not carry  any destructive payload.  However,  it
    contains  errors  that  corrupt  some  files  when infecting them.
    When the corrupted  file is run  it invokes a  standard Windows NT
    application error message.

SOLUTION

    Detection and  removal routines  for WinNT.Infis  virus were added
    in the emergency update of AntiViral Toolkit Pro (AVP)  anti-virus
    database. It is available at WWW  sites of virus vendors.    For a
    complete information  on WinNT.Infis  visit Kaspersky  Lab's Virus
    Encyclopedia at

        http://www.viruslist.com