The WNT.Infis.4608 virus is the first virus that has a Kernel mode driver component and infects 32bit PE files. The virus code is optimized, and the code is extremely short.
The virus is capable of infecting any file on the fly in Kernel mode.

It is important to note the virus first needs to be executed while logged in with Administrator or equivalent privileges because it needs to install its kernel mode component. If the virus is not initially executed under such privileges, the virus will be unable to install itself or infect other files because it does not contain a User mode replication component. The virus will create a registry entry
named
HKLM\SYSTEM\CurrentControlSet\Services\inf
and also creates a file named INF.SYS in the
\WINNT\SYSTEM32\DRIVERS directory.
The INF.SYS file is a native Windows NT kernel mode driver, and its size is 4608 bytes.
Once the system is rebooted, the virus driver (INF.SYS) will be loaded into memory automatically.
The virus hooks a Kernel mode file open API by using a non standard method and infects the 32-bit Portable Executable applications with an EXE filename that are accessed "on the fly". The virus will not infect CMD.EXE, and is also unable to infect a file which has a read-only attribute. Also the virus will fail to infect some applications properly, and as a result some of the application will fail to be executed properly. This makes the virus easily
noticeable on a system.
The WNT.Infis.4608 only works under Windows NT 4.0 SP2 and above. The virus will not replicate under Windows NT 3.5x or Windows 2000.
The virus driver can be disabled manually by going to the Device Manager in the Control Panel. Once the driver is disabled, the infected/corrupted files should be detected and replaced from clean
backups.