REFERENCE

Network Associates
DataFellows
SYMANTEC
CIAC

OVERVIEW

MyCERT has received a report regarding a new virus, Remote Explorer, that can propagates itself on "NT Networks" and attacks Microsoft machine in administrator mode. It will spread quickly inside a single NT-based organization but does not easily spread from one company to another. When it resides on a machine, it will attempt to compress .EXE files which will make the files unusable for execution. The virus will also encrypts data files including .HTML and .TXT format which will renders it useless and unreadable.

Virus name: Remote Explorer
Alias: Rich, IE403R.SYS, RemExp,TASKMGR.SYS, RICHS
Primary targets: Windows NT server/Workstation
Date discovered: December 17, 1998

Background

The Remote Explorer virus is the first "network smart" virus. It can move/transport itself through LAN/WAN environment without typical user intervention, and replicate; ie firstly, it will try to steal domain administrator's security priveleges inside an NT network. Once it does, it accesses other NT servers and NT workstations in the network, copies itself over and starts itself again in a new machine. At the moment, other Windows (95/98) operating system can only host the infected files, but the virus cannot spread further on this platform. Also, note that this virus cannot automatically pass through properly configured corporate firewalls.

Impact

1. It will make any .EXE files unusable by compressing the files (using GZIP).

2. It will encrypts any data files including .TXT and .HTML format on a random basis, making it impossible to read.

Indications You Are Hosting The Virus

1. Click at Start-->Settings-->Control Panel-->Services. If you find "Remote Explorer" listed as the service, this system is infected.

2. Click at Start-->Run-->type TASKMGR-->click Processes. If IE403R.SYS or TASKMGR.SYS (not .EXE) listed as the processes, the system is infected.

Methods of Infections

Unknown

Preventions

McAfee VirusScan NT and Netshield NT users

• If you are using VirusScan NT 4.x and Netshield NT 4.x,
  
  

1. If you haven't done so already, download the latest evaluation copies of VirusScan NT and Netshield NT version 4.02 from McAfee Online at:

   http://download.mcafee.com/eval/evaluate.asp#anti-virus

2. Download the following supplemental Extra.ZIP file which contains the protection against the "Remote Explorer" virus :

   http://www.nai.com/products/antivirus/remote_explorer.asp

• If you are using VirusScan NT 3.x and Netshield NT 3.x, download the 3201.ZIP file from this site:

http://www.nai.com/products/antivirus/remote_explorer.asp

Norton AntiVirus users

Download latest Intelligent Updater packages from the following web site:

http://www.symantec.com/avcenter/venc/data/remoteexplorer.html

Removal

The virus is still being investigate. At the moment, there is no cleaning tool to remove the encryption from the data files or decompress the infected file.

Things To Do If Your Machine Is Being Infected

1. Shut down the infected system.

2. Remove the machine's network cable.

3. Determine which other system this machine has primary contact. Quarantine this network as well.

4. Windows NT

   NT system using FAT as their boot partition.

   - Boot clean the system from a known clean floppy diskette. Scan all hard drive with an NAI command line scanner.

   NT system using NTFS as their boot partition.

   - Isolate the system or keep the system powered down until a solution is found. If you want this system up and running, reformat the drives and restore from backups.

   Windows 95/98 Infections

   Boot clean the system from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.

5. After scan completes, delete or move suspected files from the operating system environment.

6. Reboot the system to Windows.

7. Install Netshield NT or VirusScan NT Version 4.02 (for NT) or VirusScan 98 (for Win 95/98).

UPDATE

For Norton Anti Virus user, if you are already infected by the Remote Explorer Virus, follow the following procedure to repair your system:

1. From an uninfected computer, dowmload the REREMOVE.EXE file from the following web site:

   REREMOVE.EXE

2. Place the REREMOVE.EXE tool on a floppy diskette and write protect the diskette.

3. Disconnect the system from the network or disable shared drives so that other systems cannot be infected cannot access the system infected.

4. Make sure you are logged in with Administrator access and run REREMOVE.EXE tool from the floppy disk. Now the virus should have been removed from memory and has been disabled.

5. Update the virus definition using the Intelligent Updater from this site :

   http://www.symantec.com/avcenter/venc/data/remoteexplorer.html

6. Run Norton AntiVirus to repair all infected files and restore the files that have been encrypted by this virus. Reboot the Window NT system.

7. Run the REREMOVE.EXE tool from the floppy disk again.The tool will notice that the virus is not in memory and inoculate the system to avoid re-infection from other infected system.