F-Secure Virus Descriptions : Infis
Infis is a memory resident virus. It can replicate under Windows
NT 4.0 with Service Packs 2, 3, 4, 5, 6 installed. It does not
work on systems running Windows 95/98, Windows 2000 or other
versions of Windows NT.
The virus usually arrives in an infected EXE file and being run
installs itself to system. The virus copies its body to INF.SYS
file in Windows NT drivers folder WinNT\System32\Drivers. Then it
creates a key with three subkeys in Windows System Registry:
\Registry\Machine\System\CurrentControlSet\Services\inf
Type = 1 - standard Windows NT driver
Start = 2 - driver start mode
ErrorControl = 1 - continue system loading on error in driver
As a result the virus in INF.SYS file will be activated every
time the operating system starts. When INF.SYS file is activated
the virus first infects Windows NT memory. When this is done the
virus takes control over some Windows NT internal undocumented
functions. The virus traps file opening routine and if any file
is opened it checks file name and file's internal format and then
calls his infection routine if PE EXE file is opened.
The virus infects only PE (Portable Executable) EXE-files except
CMD.EXE (Windows NT command processor). When infecting the virus
increases file length by the length of its "pure code" - 4608
bytes. The virus doesn't infect files twice. It recognizes
already infected files by "date and time" stamp changed to -1
(FFFFFFFFh) value upon first infection.
The Infis virus does not have any destructive payload. However,
it has bugs that could result in corrupting of some files upon
infection. When a corrupted file is run it the standard Windows
NT application error message is shown.
[Analysis: Eugene Kaspersky, AVP Team]
|
