Remote Explorer Discovered on December 17, 1998

Question

Remote Explorer Discovered on December 17, 1998

Answer

This question was answered on June 16, 1999. Much of the information contained herein may have changed since posting.

Primarily targets Microsoft Windows NT Servers and Workstation systems. The virus is memory resident, encrypts EXE, TXT, and HTML files. Spreads through a LAN/WAN environment. . Indications you are hosting the virus: Open up the Services applet in the NT Control Panel.

If you find "Remote Explorer" listed as a service, this system is infected.

Through the Start Menu, run TASKMGR.EXE.

When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.

Virus Characteristics

Remote Explorer - the most dangerous behavior of this particular virus is that it can spread by itself without typical user interface methods such as, via floppy disk, email or during network file transactions.

To our knowledge, this is the first infection program that spreads on either NT Servers, and/or NT Workstations.

It does so by compressing the target executable. The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process.

Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.

Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems (Windows 3.x,95,98) can host infected files, but the virus can not spread further on these platforms.

It can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable. It uses an encryption algorithm on data files including TXT and HTML formats.

It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect. It is a 125K file infector, comprised of approximately 50,000 lines of code.

This is an extremely large and complex virus. Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code.

This is a Memory Resident program, thus the infected system must be powered down, and scanned from a "clean state" from a verified uninfected boot disk in order to clean the system. It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy.

The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday.

If you have a current anti-virus program, check with the vendor for an update that recognizes the "REMOTE EXPLORER" strain. If your vendor has no knowledge of this strain, you can purchase one from NAI a.k.a. McAfee Associates at www.nai.com/products/antivirus/remote_explorer.asp

If you find an NT system that is infected, do the following to prevent the further spread of the program:

Shut down the infected system.

Quarantine or remove the machine from the network (Remove its network cable).

Determine which other systems this system has primary contact.

Quarantine these systems from the network.

If you are connected to a Wide Area Network, disconnect that network segment from the WAN until you have checked and cleaned all systems.

Author

Posted by Ken of Data Doctors on June 16, 1999