Remote Explorer Discovered on December 17, 1998

Question

Remote Explorer Discovered on December 17, 1998

Answer

This question was answered on June 16, 1999. Much of the information contained herein may have changed since posting.

Primarily targets Microsoft Windows NT Servers and Workstation systems The virus is memory resident, encrypts EXE, TXT, and HTML files Spreads through a LAN/WAN environment Indications you are hosting the virus: Open up the Services applet in the NT Control Panel

If you find "Remote Explorer" listed as a service, this system is infected.

Through the Start Menu, run TASKMGR.EXE

When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.

Virus Characteristics

Remote Explorer - the most dangerous behavior of this particular virus is that it can spread by itself without typical user interface methods such as, via floppy disk, email or during network file transactions

To our knowledge, this is the first infection program that spreads on either NT Servers, and/or NT Workstations

It does so by compressing the target executable The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS It also installs itself as a service with the name "Remote Explorer" It also carries a DLL that supports it in the infecting and encryption process

Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems Once there it infects files and compresses them in addition to encrypting data on a random basis

Windows NT is the primary method for the continued spread of this virus Other Windows operating systems (Windows 3.x,95,98) can host infected files, but the virus can not spread further on these platforms

It can infect any EXE and when doing so uses a compression routine (a.k.a GZIP, a UNIX based program) to make the file unusable It uses an encryption algorithm on data files including TXT and HTML formats

It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect It is a 125K file infector, comprised of approximately 50,000 lines of code

This is an extremely large and complex virus Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code

This is a Memory Resident program, thus the infected system must be powered down, and scanned from a "clean state" from a verified uninfected boot disk in order to clean the system It carries a DLL with it to support it in the infection process If the DLL is deleted it will make another copy

The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday

If you have a current anti-virus program, check with the vendor for an update that recognizes the "REMOTE EXPLORER" strain If your vendor has no knowledge of this strain, you can purchase one from NAI a.k.a McAfee Associates at www.nai.com/products/antivirus/remote_explorer.asp

If you find an NT system that is infected, do the following to prevent the further spread of the program:

Shut down the infected system

Quarantine or remove the machine from the network (Remove its network cable)

Determine which other systems this system has primary contact

Quarantine these systems from the network

If you are connected to a Wide Area Network, disconnect that network segment from the WAN until you have checked and cleaned all systems

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on June 16, 1999