Bugtraq mailing list archives
Finjan Alert: WinNT.Infis Trojan
From: wieneke () uni-duesseldorf de (by way of Tim Wieneke)
Date: Wed, 13 Oct 1999 21:44:42 +0200
Finjan Software, Inc. Malicious Code Exploit Alert Finjan customers and partners, There is a recent Trojan executable you should be aware of called WinNT.Infis. Through Finjans proactive sandbox technology, executable files such as the WinNT.Infis are monitored and blocked on the first attack. By watching for violations of security policies, Finjans SurfinShield Corporate protects desktop and network computers from attacks by this Trojan executable, as well as new variants of this malicious program, without requiring users to download any software patch or anti-virus pattern update. WinNT.Infis is yet another example of Trojan executables that are appearing more frequently. Please take proper precautions to educate and protect your corporation and employees. --------------------------------------------------------------- WinNT.Infis Trojan Executable --------------------------------------------------------------- OVERVIEW WinNT.Infis is an executable file with .EXE extension that installs itself as a native Windows NT system driver. It is the first known malicious program to install and run in Kernel mode under Windows NT. That is, WinNT.Infis runs in the most sensitive part of the Windows NT operating system. There has been speculation about the creation of a Windows NT driver attack, but most experts believed that such an attack was at least one or two years in the future. WinNT.Infis has made theory into reality much sooner than expected. WinNT.Infis Trojan is capable of infecting any executable files (program) on the fly from Kernel mode. TECHNICAL DESCRIPTION Infis is a 32-bit Windows executable file that infects other Windows executables. When the Trojan is executed, it creates the HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the Windows NT registry and creates the system file INF.SYS in the \WINNT\SYSTEM32\DRIVERS directory. The INF.SYS file is a native Windows NT driver and is 4608 bytes. When the system is rebooted the altered driver (INF.SYS) is loaded automatically. This way the Trojan will be able to replicate to accessed executable files on the fly. The Trojan replicates to Windows executable applications that have .EXE extensions. The Trojan does not infect the CMD.EXE and is unable to infect read-only files. However, the Trojan has to be executed by an Administrator equivalent user. Without such a right the code is unable to replicate because, despite running in the kernel, it does not have a User mode replication component. HOW TO PROTECT YOURSELF Finjans SurfinShield Corporate (http://www.finjan.com/products_home.cfm) will protect users from ALL variants of this Trojan as well as new Trojan executables through its proactive run-time monitoring technology that sandboxes executables saved on PCs and blocks any executable that violates a security policy. Updated pattern databases from anti-virus vendors will block this version of WinNT.Infis.exe. ADDITIONAL INFORMATION InfoWorld story (Oct. 8, 1999): http://www.infoworld.com/cgi-bin/displayStory.pl?99108.enntvirus.htm ---------------------------------------------------------------------- PRIVACY AND UNSUBSCRIBE NOTICE Finjan Software respects your right to online privacy. If you do not wish to receive news or alert e-mails from us, simply reply to this e-mail at: finjan () usmail finjan com and type unsubscribe in the subject field.
Current thread:
- SCO OpenServer 5.0.5 overwrite /etc/shadow, (continued)
- SCO OpenServer 5.0.5 overwrite /etc/shadow Brock Tellier (Oct 11)
- IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Georgi Guninski (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Ralph the Wonder Llama (Oct 12)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
- Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
- The old "." problem nblasgen () NICK REFRACT COM (Oct 13)
- Re: The old "." problem David Zverina (Oct 14)
- Re: The old "." problem S.Faust (Oct 16)
- Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Strange (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Email virus on the prowel Albert Hopkins (Oct 19)
- SCO OpenServer 5.0.5 overwrite /etc/shadow Brock Tellier (Oct 11)
- Another Microsoft Java Flaw Disovered Gary McGraw (Oct 14)
- Administrivia Elias Levy (Oct 14)