Type: Portable Executable Virus
W95/Infis.4608 is a memory-resident portable executable virus that replicates under Windows NT 4.0 with service pack 2 and higher. It does not affect systems running Windows 2000 or Windows 9x. This virus is the first to: behave as an NT device driver [designed to be part of the OS]; to hook file opens under NT; to stay memory resident; and to infect whenever a file is being opened. The virus code is buggy and may corrupt files on infection, indicated by the display of Windows NT application error message. The virus does not have a destructive payload.
W95/Infis.4608 infects portable executable files, with the exception of CMD.EXE. When an infected file is executed, the virus copies itself to the system, creating a file named INF.SYS in the \WINNT\SYSTEM32\DRIVERS subdirectory. In addition, the virus modifies the Windows Registry so that on reboot the virus will become memory-resident.
Command AntiVirus 4.57 and higher will detect and disinfect W95/Infis.4608 with deffiles dated 10/12/99. Command AntiVirus 4.54, 4.54 SP1 and 4.54 SP2 will detect infected .EXE files with deffiles dated 10/12/99, however the file C:\WINNT\SYSTEM32\DRIVERS\INF.SYS will not be detected.