Virus Name: Remote Explorer

This page last updated 12/30/98

• Discovered at customer site on December 17, 1998.
• Primarily targets Microsoft Windows NT Servers and Workstation systems.
• The virus is memory resident, encrypts EXE, TXT, and HTML files.
• Spreads through a LAN/WAN environment.

Indications you are hosting the virus:

• Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected.
• Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.

Virus Characteristics

Remote Explorer – the most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate.

• It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable.
• The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process.
• Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
• Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms.
• Can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable.
• It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can’t infect.
• It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus.
• Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code.
• It goes Memory Resident. A utility called RESCAN.EXE is available as RESCAN.ZIP from http://beta.nai.com/public/stand_alone. Thus the infected system can be cleaned without powering down when using RESCAN.EXE. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE.
• It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy.
• The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday.
• The virus has no payload.
• The virus also has some interaction with the Dr. Watson program. Importance of this interaction is still under investigation.
• RESCAN.EXE can remove the encryption from the data files or decompress the infected files. RESCAN.EXE can remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables. Obtain RESCAN.ZIP from http://beta.nai.com/public/stand_alone. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE.

Products available to users for protection against the "Remote Explorer" infection

Virus signature updates are available for version 4.x , version 3.x and version 7.x engines. These signature updates DETECTION but do not clean/remove Remote Explorer. This will allow you to quarantine infected EXE and data files.

The first 4.x engine products for VirusScan and NetShield NT have also just been released. Links are included to these products for reference. If you have already installed these products there is no reason to re-install. If you have not and are marshalling your network administrators to protect against this threat, we encourage you to move to this version.

UPDATES

For VirusScan 3.xx users:

• http://beta.nai.com/public/datafiles/ Copy these files to the directory where the Scan, Clean, and Names.DAT exist. This will probably be a McAfee subdirectory.

For VirusScan 4.xx users:

• DATs link to ftp://licensed@ftp.nai.com/licensed/antivirus/datfiles/ Copy or run the update program the directory where the Scan, Clean, and Names.DAT exist. This will probably be a McAfee subdirectory.

• Extra.DAT and Extra.DRV, these are on the http://www.nai.com/products/antivirus/remote_explorer.asp page, a Extra.Zip is available there.
  
  • If you are using VirusScan 4.X extract the Extra.DAT from this Zip file to the directory where the existing Scan, Names, and Clean.DAT exist.
  • If you are using Dr Solomon AVTK 7.XX, extract the Extra.DRV from this Zip to the subdirectory where the Find, Names, and Repair.DRV exist.

Please note this process will overwrite any Extra.DAT/DRV that is in the subdirectory. If you using an Extra.DAT/DRV to detect and clean a virus and the virus is still not in the full set of DATs (you can be certain this is not the case by updating to the 4006DAT) call technical support for assistance in merging them.

If you are using the

• NetShield NT, ver. 4.02 download the product and install it ftp://licensed:321@ftp.nai.com/licensed/antivirus/winnt/netshld/intel/
• VirusScan NT, ver. 4.02 download the product and install it. ftp://licensed:321@ftp.nai.com/licensed/antivirus/winnt/vscannt/intel/)

Recommended steps for fighting infection

NT Server/Workstation systems:

• RESCAN.EXE can remove the encryption from the data files or decompress the infected files. RESCAN.EXE can remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables. Obtain RESCAN.ZIP from http://beta.nai.com/public/stand_alone. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE.
• RESCAN.EXE will run on both FAT and NTFS.

The following instructions have been replaced by the use of RESCAN.EXE - they are included for persons unable to retrieve RESCAN.EXE utility-

• Shut down the infected system.
• Quarantine or remove the machine from the network (Remove its network cable).
• Determine which other systems this system has primary contact. Quarantine these systems from the network.
• To reduce the possible spread of the virus, disconnect that network segment from the WAN.
• NT systems using FAT as there boot partition - since the virus is memory resident, it is imperative that the system boot clean from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.
• NT systems using NTFS as there boot partition - Those with NTFS as their primary boot partition are asked to isolate the system or keep the system powered down until a solution native to the NT operating system is found. If you must have this system up and running, reformat the drives and restore from backups.
• After the on-demand scan completes, delete or move suspected files from the operating system environment. Replace infected files from known clean backups or reinstall operating system files.
• Reboot the system to Windows.
•  
• Install NetShield NT (NNTI402L.zip) or VirusScan NT (VNTI402L.zip). Copy the contents of DAT.ZIP to the directory where the product is installed. In the case of 3.x or 7.x users, update the virus signature files for your version.
• Be certain the on-access scanner is installed and working (reference the WHATSNEW.TXT to verify detection of EICAR sample). Also set up alerting and reporting where applicable.
• Reconnect the system to the network.
• For version 4.x engines, update your DATs with the Weekly DAT set from NAI, and deploy to all machines on a weekly basis. Update all engine releases to 4.x where possible.

Windows 95/98 Desktop Infections

Once it is determine the virus has infected a Windows Desktop these steps are appropriate:

• Shut down the infected system.
• Remove the machine from the network segment it is on.
• Determine the systems this system has primary contact with. Disconnect these systems appropriately.
• Since the virus is memory resident, it is imperative that the system boot clean from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.
• After the on-demand scan completes, delete or move suspected files from the operating system environment. Replace infected files from known clean backups or reinstall operating system files.
• Reboot the system to Windows.
• Load and copy the contents the DAT.zip file to the directory where the product is.
• Install VirusScan 98 (v98i402l.zip). Copy the contents of DAT.ZIP to the directory where the product is installed. In the case of 3.x or 7.x users, update the virus signature files for your version.
• Be certain the on-access scanner is installed and working (reference the WHATSNEW.TXT to verify detection of EICAR sample). Also set up alerting and reporting where applicable.
• Reconnect the system to the network.
• For version 4.x engines, update your DATs with the Weekly DAT set from NAI, and deploy to all machines on a weekly basis. Update all engine releases to 4.x where possible.

- McAfee Labs AVERT