|
|
WinNT.Infis.460 Viruses Information
| Name: |
WinNT.Infis.460 |
| Category: |
Viruses |
| Description:
|
Details
WinNT.Infis.4608
It is a memory resident parasitic WinNT virus. It operates under WinNT only and is not able to infect files under Win9x systems. The virus does not manifest itself in any way and does not any harm to the system. Despite this the virus has a bug in its infection routine and corrupts some files while infecting them, the corrupted files when run cause the standard "is not a valid Windows NT application" error message.
The virus stays in WinNT memory as system driver, hooks file opening and writes itself to the end of PE EXE files (Portable Executable Win32 files). The virus infects all PE files with .EXE extension except CMD.EXE. To separate infected and not infected files the virus sets file time and date double word stamp in the PE header to -1 (FFFFFFFFh). While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary fields in the file header. As a result when infected PE files are executed, the virus code receives control and runs the installation routine.
The virus installation routine copies the virus to the system, registers itself in there and returns control to the host program. As a result on first start the virus just installs its "dropper" to the system and does not infect the WinNT memory and other files. The memory and file infection routines will be activated later, when the "dropper" is run.
To install its "dropper" the virus extracts its "pure" code (4608 bytes) as a standalone PE EXE file with the INF.SYS name and writes it to the SystemRootsystem32drivers directory. Next the virus adds "run-it" commands to the system registry, to do that the virus creates new Registry key with three sections:
RegistryMachineSystemCurrentControlSetServicesinf
Type = 1 - means it is a standard NT driver
Start = 2 - the mode of driver start
ErrorControl = 1 - continue system loading on error in driver
As a result the virus dropper is loaded as system WinNT driver on next system restart.
When the INF.SYS virus dropper takes control the virus allocates a block of WinNT memory, reads its complete copy from the INF.SYS file for further use in infection routine and hooks a poorly documented WinNT internal system functions handler. The virus hooker intercepts file opening function only, checks the file name and extension, then opens the file, checks file format (PE) and runs the infection routine. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Excel97 Laroux, Legend, Lord, Robocop, Tjor
Gawenda.41
Weed.408
Backdoor.Executor.
Invol Famil
BAT.8Fis
Macro.Word.Illitera
Urke
Pieck.201
Nop.35
|
|
