Finjan Software, Inc. Malicious Code Exploit Alert Finjan customers and partners, There is a recent Trojan executable you should be aware of called WinNT.Infis. Through Finjan's proactive "sandbox" technology, executable files such as the WinNT.Infis are monitored and blocked on the first attack. By watching for violations of security policies, Finjan's SurfinShield Corporate protects desktop and network computers from attacks by this Trojan executable, as well as new variants of this malicious program, without requiring users to download any software patch or anti-virus pattern update. WinNT.Infis is yet another example of Trojan executables that are appearing more frequently. Please take proper precautions to educate and protect your corporation and employees. --------------------------------------------------------------- WinNT.Infis Trojan Executable --------------------------------------------------------------- OVERVIEW WinNT.Infis is an executable file with .EXE extension that installs itself as a native Windows NT system driver. It is the first known malicious program to install and run in Kernel mode under Windows NT. That is, WinNT.Infis runs in the most sensitive part of the Windows NT operating system. There has been speculation about the creation of a Windows NT driver attack, but most experts believed that such an attack was at least one or two years in the future. WinNT.Infis has made theory into reality much sooner than expected. WinNT.Infis Trojan is capable of infecting any executable files (program) on the fly from Kernel mode. TECHNICAL DESCRIPTION Infis is a 32-bit Windows executable file that infects other Windows executables. When the Trojan is executed, it creates the HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the Windows NT registry and creates the system file INF.SYS in the \WINNT\SYSTEM32\DRIVERS directory. The INF.SYS file is a native Windows NT driver and is 4608 bytes. When the system is rebooted the altered driver (INF.SYS) is loaded automatically. This way the Trojan will be able to replicate to accessed executable files on the fly. The Trojan replicates to Windows executable applications that have .EXE extensions. The Trojan does not infect the CMD.EXE and is unable to infect read-only files. However, the Trojan has to be executed by an Administrator equivalent user. Without such a right the code is unable to replicate because, despite running in the kernel, it does not have a User mode replication component. HOW TO PROTECT YOURSELF Finjan's SurfinShield Corporate (http://www.finjan.com/products_home.cfm) will protect users from ALL variants of this Trojan as well as new Trojan executables through its proactive run-time monitoring technology that "sandboxes" executables saved on PCs and blocks any executable that violates a security policy. Updated pattern databases from anti-virus vendors will block this version of WinNT.Infis.exe. ADDITIONAL INFORMATION InfoWorld story (Oct. 8, 1999): http://www.infoworld.com/cgi-bin/displayStory.pl?99108.enntvirus.htm ---------------------------------------------------------------------- PRIVACY AND UNSUBSCRIBE NOTICE Finjan Software respects your right to online privacy. If you do not wish to receive news or alert e-mails from us, simply reply to this e-mail at: finjan@usmail.finjan.com and type "unsubscribe" in the "subject" field.