First NT system driver virus found in the wild

Russian anti-virus company, Kaspersky Lab, has discovered what it claims is the world's first known virus to act as a Windows NT system driver.

The virus - known as Infis - infects the highest security level of the Windows NT Operating System (OS) and was found 'in the wild' - i.e. outside a laboratory environment.

According to Nimrod Vered, head of product management at virus specialists Finjan, Infis works by introducing itself to the OS as a driver "which is a very fundamental OS layer. There are not many people worldwide who can write in-depth drivers. They are embedded very deep in NT." Once inside the OS, the virus destroys programs like calculator, MS Paint and CD Player.

"I'm surprised to see this type of virus," Vered added. "It's appeared a year earlier than any virus company expected."

According to Phil Ryan of security firm Peapod, the virus presents little immediate threat because it doesn't self-replicate. "Given that the infection will spread relatively slowly and that there is no destructive payload, then this virus is not a big threat to industry," he said.

"But the important point is that it is a new type of virus and, as often happens, it may be succeeded by others using the same technique but with more harmful payloads," Ryan added.

Vered agreed that Infis is currently of more interest technically than as a threat to corporate networks, but warned: "It won't take long to copy the method of the driver and make it more damaging. If hackers mutate it and add a more sophisticated distribution method, we will be facing more serious danger."