Remote Explorer Virus Alert
First posted: December 22, 1998
Problem
The sophisticated "Remote Explorer" virus can take advantage of remote management tools in Windows NT Servers and NT Workstations to propagate itself through networks autonomously. Infection takes place in EXE files, which the virus compresses, making them unusable. Data files, including TXT and HTML files, are destroyed by encrypting them.
Remote Explorer was discovered at a Network Associates (NAI) customer site on December 17, 1998. At least one large site, MCI/WorldCom, has been "obliterated". See articles at CNNFN, MSNBC and ZDNet.
Platform
Windows NT Server or Workstation -- infects and propagates
Windows 95/98 -- infects files but does not propagate
Other operating systems -- can host infected files
Detection
1. Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected.
2. Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.
3. The virus is a large (~124KB) file infector that resides in memory. Detection must take place after the system has been powered down and booted from a clean system disk.
Damage
The virus compresses EXE files and encrypts random data files, including TXT and HTML, rendering them useless. At this writing (December 22, 1998), there is no way to remove the virus or to undo the compression of executables or the encryption of data files.
The virus can also infect other Windows machines, but is not propagated further.
Remote Explorer installs itself on a server by making a copy of itself, called IE403R.SYS, in the NT Driver directory. It then installs itself as a service called "Remote Explorer." A DLL is installed that is used in the encryption and compression process. The DLL will be recopied if it is deleted.
Propagation to other servers occurs when the virus logs in through domain administration controls. It then sends copies of itself to other servers and workstations that access those servers. Only NT resources are utilized; the virus does not spread through Unix or NetWare networks. Through the use of a timer mechanism, the virus is most active between 3:00 PM Saturday to 6:00 AM Sunday of each week.
Solution
To protect against the "Remote Explorer" infection, isolate NT Workstations and Servers from the network until they can be protected by anti-virus software that can detect and prevent infection.
Cleaning up an infected System:
1. Shut down the infected NT Server or NT Workstation.
2. Isolate the machine from the network by disconnecting its network cable.
3. Determine which other NT Servers and Workstations this system has primary contact, especially in a trust relationship. Isolate those potentially affected machines from the network.
4. As an added precaution, disconnect infected network segments from the campus network.
5. Scan all computer systems after booting from a clean system disk. The virus is memory resident, so it is imperative that the system be booted from clean system disks to prevent the virus from going resident in memory again and possibly avoiding detection. Systems other than Windows NT (e.g., Windows 9x, Unix, NetWare, and Macintosh) can carry infected files, although the virus is only propagaged from Windows NT systems, so their files should be scanned as well.
6. After the scan and cleaning or removal of all infected files, bring the system up normally. Keep the system off the network and separate from other machines.
7. Install an anti-virus product that can detect and clean the virus.
8. Activate the virus scanner's "on-access" feature to prevent re-infection.
9. Reconnect the system to the network.
10. Check for virus definition updates weekly and deploy updated definitions to all systems. Update to the latest anti-virus engine as new versions are released.
For More Information
Remote Explorer it the first virus that requires no user intervention to transport itself between servers. It is distinguished from a worm such as the Morris Internet Worm in that it infects files, rather than being a strictly stand-alone process.
Since the NAI site says it was detected on the 17th, other security organizations may not have seen it yet.
The Remote Explorer virus has been mentioned on news: alt.comp.virus.
Network Associates (NAI) Remote Explorer Alert:
http://www.nai.com/products/antiviru...e_explorer.asp
Microsoft Security:
http://www.microsoft.com/security/bulletins/current.asp
CERT (Carnegie Mellon Software Engineering Institute):
http://www.cert.org/
CIAC (Computer Incident Advisory Capability):
http://ciac.llnl.gov/
Computer Security Center:
http://www.csc.se/
Henri Delger's Virus Help and Information:
http://pages.prodigy.com/virushelp/
Ken Dunham's anti-virus page:
http://antivirus.miningco.com/
Edinburgh University's PC virus page:
http://mft.ucs.ed.ac.uk/pcvirus/pcvirus.htm
HAVS (Joe Hartmann's Anti-Virus Site):
http://www.psnw.com/~joe/
David Harley's page (Macintosh viruses):
http://webworlds.co.uk/dharley/
David Hull -- Computer Viruses and Security:
http://www.einet.net/galaxy/Engineer...ull/galaxy.htm
ICSA (International Computer Security Association):
http://www.icsa.net/
Indianapolis University Computer Virus Research Centre:
http://www.indyweb.net/~cvhd/
Mike Lambert's virus information site:
http://www.frontiernet.net/~mlambert/
Mac Virus:
http://www.macvirus.com/
Mailander's Den:
http://www.agora.stm.it/htbin/wwx?fi^N.Ferri
Doug Muth's (anti)virus homepage:
http://www.ezweb.net/dmuth/virus/index.html
NH (Norman Hirsch and Associates):
http://www.nha.com/
NIST/CSL:
http://csrc.ncsl.nist.gov/virus/
Open University anti-virus page:
http://www-tec.open.ac.uk/casg/avone.html
Oxford University Computing Services AV page:
http://info.ox.ac.uk/OUCS/micros/virus/
Penn State Anti-Virus page:
http://cac.psu.edu/~santoro/cac/virus.html
Rob Rosenberger's 'Computer Virus Myths' page:
http://www.kumite.com/myths/
Sandrin anti-virus connection:
http://members.home.net/sandrin/
Slovak Antivirus Centre:
http://ftp.elf.stuba.sk/packages/pub/pc/
Thomas Jefferson University's Virus Information page:
http://www.tju.edu/tju/dis/ic/virus/
Virus Bulletin:
http://www.virusbtn.com/
The VHC (Virus Help Centre) in Sweden (English language):
http://www.vhc.se/index2.html
The Virus Research Unit at the University of Tampere, Finland:
http://www.uta.fi/laitokset/virus
The VTC (Virus Test Center) at the University of Hamburg, Germany:
http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm
West Coast Publishing (Secure Computing magazine and Checkmark certification):
http://www.westcoast.com/
Mark West's anti-virus site:
http://www.hitchhikers.net/av.shtml
Eddy Willems' anti-virus site:
http://www.club.innet.be/~ewillems/
Last updated August 11th, 2000
Copyright © The University of Texas, 2001.