Finjan Alert: WinNT.Infis Trojan

[wieneke () uni-duesseldorf de (by way of Tim Wieneke)]

                       Finjan Software, Inc.
                    Malicious Code Exploit Alert

Finjan customers and partners,

There is a recent Trojan executable you should be aware of called
WinNT.Infis.

Through Finjan’s proactive “sandbox” technology, executable files such
as the WinNT.Infis are monitored and blocked on the first attack.  By
watching for violations of security policies, Finjan’s SurfinShield
Corporate protects desktop and network computers from attacks by this
Trojan executable, as well as new variants of this malicious program,
without requiring users to download any software patch or anti-virus
pattern update.

WinNT.Infis is yet another example of Trojan executables that are
appearing more frequently.  Please take proper precautions to educate
and protect your corporation and employees.

---------------------------------------------------------------
WinNT.Infis Trojan Executable
---------------------------------------------------------------

OVERVIEW

WinNT.Infis is an executable file with .EXE extension that installs
itself as a native Windows NT system driver.  It is the first known
malicious program to install and run in Kernel mode under Windows NT.
That is, WinNT.Infis runs in the most sensitive part of the Windows NT
operating system.  There has been speculation about the creation of a
Windows NT driver attack, but most experts believed that such an
attack was at least one or two years in the future.  WinNT.Infis has
made theory into reality much sooner than expected.

WinNT.Infis Trojan is capable of infecting any executable files
(program) on the fly from Kernel mode.

TECHNICAL DESCRIPTION

Infis is a 32-bit Windows executable file that infects other Windows
executables. When the Trojan is executed, it creates the
HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the Windows NT
registry and creates the system file INF.SYS in the
\WINNT\SYSTEM32\DRIVERS directory.  The INF.SYS file is a native
Windows NT driver and is 4608 bytes.

When the system is rebooted the altered driver (INF.SYS) is loaded
automatically. This way the Trojan will be able to replicate to
accessed executable files on the fly.  The Trojan replicates to
Windows executable applications that have .EXE extensions.  The Trojan
does not infect the CMD.EXE and is unable to infect read-only files.

However, the Trojan has to be executed by an Administrator equivalent
user.  Without such a right the code is unable to replicate because,
despite running in the kernel, it does not have a User mode
replication component.

HOW TO PROTECT YOURSELF

Finjan’s SurfinShield Corporate
(http://www.finjan.com/products_home.cfm) will protect users from ALL
variants of this Trojan as well as new Trojan executables through its
proactive run-time monitoring technology that “sandboxes” executables
saved on PCs and blocks any executable that violates a security
policy.

Updated pattern databases from anti-virus vendors will block this
version of WinNT.Infis.exe.

ADDITIONAL INFORMATION

InfoWorld story (Oct. 8, 1999):
http://www.infoworld.com/cgi-bin/displayStory.pl?99108.enntvirus.htm

----------------------------------------------------------------------
PRIVACY AND UNSUBSCRIBE NOTICE

Finjan Software respects your right to online privacy.  If you do not
wish to receive news or alert e-mails from us, simply reply to this
e-mail at: finjan () usmail finjan com and type “unsubscribe” in the
“subject” field.