Remote Explorer Discovered on December 17, 1998
This question was answered on June 16, 1999. Much of the information contained herein may have changed since posting.
Primarily targets Microsoft Windows NT Servers and Workstation systems The virus is memory resident, encrypts EXE, TXT, and HTML files Spreads through a LAN/WAN environment Indications you are hosting the virus: Open up the Services applet in the NT Control Panel
If you find "Remote Explorer" listed as a service, this system is infected.
Through the Start Menu, run TASKMGR.EXE
When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.
Virus Characteristics
Remote Explorer - the most dangerous behavior of this particular virus is that it can spread by itself without typical user interface methods such as, via floppy disk, email or during network file transactions
To our knowledge, this is the first infection program that spreads on either NT Servers, and/or NT Workstations
It does so by compressing the target executable The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS It also installs itself as a service with the name "Remote Explorer" It also carries a DLL that supports it in the infecting and encryption process
Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems Once there it infects files and compresses them in addition to encrypting data on a random basis
Windows NT is the primary method for the continued spread of this virus Other Windows operating systems (Windows 3.x,95,98) can host infected files, but the virus can not spread further on these platforms
It can infect any EXE and when doing so uses a compression routine (a.k.a GZIP, a UNIX based program) to make the file unusable It uses an encryption algorithm on data files including TXT and HTML formats
It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect It is a 125K file infector, comprised of approximately 50,000 lines of code
This is an extremely large and complex virus Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code
This is a Memory Resident program, thus the infected system must be powered down, and scanned from a "clean state" from a verified uninfected boot disk in order to clean the system It carries a DLL with it to support it in the infection process If the DLL is deleted it will make another copy
The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday
If you have a current anti-virus program, check with the vendor for an update that recognizes the "REMOTE EXPLORER" strain If your vendor has no knowledge of this strain, you can purchase one from NAI a.k.a McAfee Associates at www.nai.com/products/antivirus/remote_explorer.asp
If you find an NT system that is infected, do the following to prevent the further spread of the program:
Shut down the infected system
Quarantine or remove the machine from the network (Remove its network cable)
Determine which other systems this system has primary contact
Quarantine these systems from the network
If you are connected to a Wide Area Network, disconnect that network segment from the WAN until you have checked and cleaned all systems
About the author
Posted by Ken Colburn of Data Doctors on June 16, 1999
Need Help with this Issue?
We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!