Virus Name: Remote Explorer

Discovered at customer site on December 17, 1998.

• Primarily targets Microsoft Windows NT Servers and Workstation systems.
• The virus is memory resident, encrypts EXE, TXT, and HTML files.
• Spreads through a LAN/WAN environment.

• Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected.
• Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.

Remote Explorer – the most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate.

• It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable.
• The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process.
• Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
• Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms.
• Can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable.
• It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can’t infect.
• It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus.
• Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code.
• It goes Memory Resident. Thus the infected system must be powered down, and scanned from a "clean state" with a NAI command line scanner. Detection is available; no removal is currently available at this time.
• It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy.
• The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday.
• The virus has no payload.
• The virus also has some interaction with the Dr. Watson program. Importance of this interaction is still under investigation.
• At this time, there is no cleaning tool to remove the encryption from the data files or decompress the infected files. NAI expects to have a program (sometime late 12/21/98) that will remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables.

Virus signature updates are available for version 4.x , version 3.x and version 7.x engines. These signature updates DETECTION but do not clean/remove Remote Explorer. This will allow you to quarantine infected EXE and data files.

NAI is developing a stand-alone cleaner, which is expected to be available on 12/21/98.

The first 4.x engine products for VirusScan and NetShield NT have also just been released. Links are included to these products for reference. If you have already installed these products there is no reason to re-install. If you have not and are marshalling your network administrators to protect against this threat, we encourage you to move to this version.

For VirusScan 3.xx users:

• Hourly DATs for VirusScan 3 (link to http://beta.nai.com/public/datafiles/)

For VirusScan 4.xx users:

• 4005 DATs (link to ftp://licensed@ftp.nai.com/licensed/antivirus/datfiles/)

• Extra.DAT (link to TBS by Doug Cavitt
• NetShield NT, ver. 4.02 (link to ftp://licensed@ftp.nai.com/licensed/antivirus/winnt/netshld/intel/) (this is a licensed site for licensed NAI customers only.)
• VirusScan NT, ver. 4.02 (link to ftp://licensed@ftp.nai.com/licensed/antivirus/winnt/vscannt/intel/) (this is a licensed site for licensed NAI customers only.)

For Dr Solomon AVTK 7.xx users:

• Extra.DRV (link to http://beta.nai.com/public/stand_alone/)

NT Server/Workstation systems:

• Shut down the infected system.
• Quarantine or remove the machine from the network (Remove its network cable).
• Determine which other systems this system has primary contact. Quarantine these systems from the network.
• To reduce the possible spread of the virus, disconnect that network segment from the WAN.
• NT systems using FAT as there boot partition - since the virus is memory resident, it is imperative that the system boot clean from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.
• NT systems using NTFS as there boot partition - Those with NTFS as their primary boot partition are asked to isolate the system or keep the system powered down until a solution native to the NT operating system is found. If you must have this system up and running, reformat the drives and restore from backups.
• After the on-demand scan completes, delete or move suspected files from the operating system environment. Replace infected files from known clean backups or reinstall operating system files.
• Reboot the system to Windows.
• Install NetShield NT (NNTI402L.zip) or VirusScan NT (VNTI402L.zip). Copy the contents of DAT.ZIP to the directory where the product is installed. In the case of 3.x or 7.x users, update the virus signature files for your version.
• Be certain the on-access scanner is installed and working (reference the WHATSNEW.TXT to verify detection of EICAR sample). Also set up alerting and reporting where applicable.
• Reconnect the system to the network.
• For version 4.x engines, update your DATs with the Weekly DAT set from NAI, and deploy to all machines on a weekly basis. Update all engine releases to 4.x where possible.

Once it is determine the virus has infected a Windows Desktop these steps are appropriate:

• Shut down the infected system.
• Remove the machine from the network segment it is on.
• Determine the systems this system has primary contact with. Disconnect these systems appropriately.
• Since the virus is memory resident, it is imperative that the system boot clean from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.
• After the on-demand scan completes, delete or move suspected files from the operating system environment. Replace infected files from known clean backups or reinstall operating system files.
• Reboot the system to Windows.
• Load and copy the contents the DAT.zip file to the directory where the product is.
• Install VirusScan 98 (v98i402l.zip). Copy the contents of DAT.ZIP to the directory where the product is installed. In the case of 3.x or 7.x users, update the virus signature files for your version.
• Be certain the on-access scanner is installed and working (reference the WHATSNEW.TXT to verify detection of EICAR sample). Also set up alerting and reporting where applicable.
• Reconnect the system to the network.
• For version 4.x engines, update your DATs with the Weekly DAT set from NAI, and deploy to all machines on a weekly basis. Update all engine releases to 4.x where possible.