Spacer Sidebar Directory Map

The Training Book, the handbook for trainers

Training Express computer learning guides

 

ITrain - International Association of Computer Trainers Remote Explorer Virus
How to detect it
ITINFO Sponsor
Website Hosting: Special Offer for IT Professionals

Fast, unlimited hits. Secure SSL servers.
100MB web & ftp storage.
Unlimited email aliasing, redirection, and autoresponders.
4 multi-homed T3 & T1 lines on the primary backbone.
24/7 Monitoring
Daily access reports
Free MySQL database with multiple tables ($120 value)
Free PGP encryption ($120 value)
Free Autoresponders ($120 value each)
Ask for the special database package

host@dgl.com
DGL Super-Fast Website Hosting

Internet Poll
Have you attended a seminar via e-learning?
yes
no

poll archive

How To Detect The Remote Explorer Virus
by Dave Murphy
ISSN 1535-3613

Dave Murphy, DGL President & ITrain founder This is a followup to our article, MCI WorldCom Attached By New Virus, which described a new type of computer virus, dubbed Remote Explorer. It's unusual for ITINFO to publish two articles on the same topic back-to-back; however, the effects of the Remote Explorer virus are so severe that ITINFO's publishing guidelines are being set aside.

Dave Murphy, the founder of ITrain and the author of ITINFO, recommends all Windows NT users and especially system administrators, carefully read this newsletter and follow the guidelines as indicated.

The Remote Explorer virus is potentially more destructive than any previously-reported virus, can be transported by any operating system in current use, and can affect all Windows NT systems.

Excerpted from the Network Associates, Inc. (NAI) website this afternoon, here are the latest details of the Remote Explorer virus.

The new virus is named Remote Explorer. Here are the basic facts to date:

  • Discovered at customer site on December 17, 1998.
  • Primarily targets Microsoft Windows NT Servers and Workstation systems.
  • The virus is memory resident, encrypts EXE, TXT, and HTML files.
  • Spreads through a LAN/WAN environment.

Indications you are hosting the virus:

  • Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected.
  • Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.
Virus Characteristics
  • The most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate.
  • It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable.
  • The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process.
  • Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
  • Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms.
  • Can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable.
  • It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect.
  • It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus.
  • Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code.
  • It goes Memory Resident. Thus the infected system must be powered down, and scanned from a "clean state" with a NAI command line scanner. Detection is available; no removal is currently available at this time.
  • It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy.
  • The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday.
  • The virus has no payload.
  • The virus also has some interaction with the Dr. Watson program. Importance of this interaction is still under investigation.
  • At this time, there is no cleaning tool to remove the encryption from the data files or decompress the infected files. NAI expects to have a program (sometime late 12/21/98) that will remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables.

Previous ITINFO article (MCI WorldCom Attached By New Virus): http://itrain.org/itinfo/1998/it981221.html
Network Associates, Inc. website: www.nai.com
ITrain's website: itrain.org

Subscribe to ITINFO.
Receive computing and Internet news & tips
by subscribing to the ITINFO information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at http://dgl.com/dglinfo/.

updated December 22, 1998
http://dgl.com/dglinfo/1998/dg981222.html

Return to DGL homepage
Copyright © 1998, Damar Group, Ltd., All Rights Reserved