The virus, named "Infis," was found in the "wild," or outside the laboratory setting by Kaspersky Lab, a Moscow-based antivirus software firm.
The virus, however, is considered more of a technical feat than a threat to NT users worldwide, having neither a destructive payload nor the ability to spread like wildfire over the Internet. Its strength lies in being able to do what has never been done before: working its way into controlling the "system level," or core operations, of Windows NT.
"It does appear to be a sophisticated new way of writing computer viruses, but I wouldn't call this an active threat right now" because the virus has been hard to find, said TrendMicro antivirus researcher Dan Schrader. TrendMicro has been scouring the Internet and hasn't yet found Infis. "It hasn't showed up outside where ever they discovered it," Schrader said.
"It probably is a bit tricky to remove," said Roger Thompson, technical director of malicious code research at ICSA, a trade group for computer security software makers. "[Infis] is able to work on the device driver, which is why Kaspersky Lab has become so excited about it."
Infis is a file memory resident virus attacking Windows NT 4.0 with Service Packs 2, 3, 4, 5, 6 installed. It does not affect Windows 95/98, Windows 2000, or other versions of the Windows NT corporate system. The virus infects only PE (Portable Executable) EXE-files except CMD.EXE (Windows NT command processor).
The lab said that when the virus completes its installation in the memory it takes control over Windows NT internal undocumented functions. The virus intercepts file opening, checks the file names and their internal format, and then calls the infection subroutine.
Although Infis does not carry any destructive payload, it contains errors that corrupt some files when infecting them, according to the lab. When the corrupted file is run, it prompts a standard Windows NT application error message.
Device driver viruses have been created before that target Windows 95 and 98 machines, which have weaker security than Windows NT, Schrader said, but this apparently is the first to show up on Windows NT.
Device driver viruses often target antivirus software, which operate at the same deep level within the system, Schrader said. The best way to deal with them is to catch them as the arrive on a system instead of after they're installed. "Once your system is infected and the virus is running, it's harder to deal with," Schrader said.
"These days the things that get me really worried are those that use the Internet to spread themselves, like Melissa," Thompson said, voicing similar concerns over Chernobyl-class viruses.
"This one is from neither one of those categories," he said. "The fact that [Infis] spreads like a normal virus, it will be slow getting anywhere, by which time all the antivirus software makers will be revved up to handle it."
Computer security experts caution against panic over potential viruses, which are often extremely rare.
Antivirus software companies profit from virus scares. When the Melissa virus swept across the Internet earlier this year, antivirus software sales jumped 67 percent in one week.