Home | Site Map | Search | Contacts
About Us
Report Incidents
Incident Statistics
Security FAQS

Search NISER
  NISER > Alerts > MyCERT Advisories & Summaries > MA-002.121998: Remote Explorer Virus

MA-002.121998: Remote Explorer Virus
Original Issue Date: December 23, 1998
TOPIC : Beware of "Remote Explorer" Virus on Windows NT!



    MyCERT has received a report regarding a new virus, Remote Explorer, that can propagates itself on "NT Networks" and attacks Microsoft machine in administrator mode. It will spread quickly inside a single NT-based organization but does not easily spread from one company to another. When it resides on a machine, it will attempt to compress .EXE files which will make the files unusable for execution. The virus will also encrypts data files including .HTML and .TXT format which will renders it useless and unreadable.

Virus name: Remote Explorer
Alias: Rich, IE403R.SYS, RemExp,TASKMGR.SYS, RICHS
Primary targets: Windows NT server/Workstation
Date discovered: December 17, 1998


    The Remote Explorer virus is the first "network smart" virus. It can move/transport itself through LAN/WAN environment without typical user intervention, and replicate; ie firstly, it will try to steal domain administrator's security priveleges inside an NT network. Once it does, it accesses other NT servers and NT workstations in the network, copies itself over and starts itself again in a new machine. At the moment, other Windows (95/98) operating system can only host the infected files, but the virus cannot spread further on this platform. Also, note that this virus cannot automatically pass through properly configured corporate firewalls.


  1. It will make any .EXE files unusable by compressing the files (using GZIP).

  2. It will encrypts any data files including .TXT and .HTML format on a random basis, making it impossible to read.

Indications You Are Hosting The Virus

  1. Click at Start-->Settings-->Control Panel-->Services. If you find "Remote Explorer" listed as the service, this system is infected.

  2. Click at Start-->Run-->type TASKMGR-->click Processes. If IE403R.SYS or TASKMGR.SYS (not .EXE) listed as the processes, the system is infected.

Methods of Infections




    The virus is still being investigate. At the moment, there is no cleaning tool to remove the encryption from the data files or decompress the infected file.

Things To Do If Your Machine Is Being Infected

  1. Shut down the infected system.

  2. Remove the machine's network cable.

  3. Determine which other system this machine has primary contact. Quarantine this network as well.

  4. Windows NT

    NT system using FAT as their boot partition.

      - Boot clean the system from a known clean floppy diskette. Scan all hard drive with an NAI command line scanner.

    NT system using NTFS as their boot partition.

      - Isolate the system or keep the system powered down until a solution is found. If you want this system up and running, reformat the drives and restore from backups.

    Windows 95/98 Infections

    Boot clean the system from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.

  5. After scan completes, delete or move suspected files from the operating system environment.

  6. Reboot the system to Windows.

  7. Install Netshield NT or VirusScan NT Version 4.02 (for NT) or VirusScan 98 (for Win 95/98).


    For Norton Anti Virus user, if you are already infected by the Remote Explorer Virus, follow the following procedure to repair your system:

  1. From an uninfected computer, dowmload the REREMOVE.EXE file from the following web site:

  2. Place the REREMOVE.EXE tool on a floppy diskette and write protect the diskette.

  3. Disconnect the system from the network or disable shared drives so that other systems cannot be infected cannot access the system infected.

  4. Make sure you are logged in with Administrator access and run REREMOVE.EXE tool from the floppy disk. Now the virus should have been removed from memory and has been disabled.

  5. Update the virus definition using the Intelligent Updater from this site :

  6. Run Norton AntiVirus to repair all infected files and restore the files that have been encrypted by this virus. Reboot the Window NT system.

  7. Run the REREMOVE.EXE tool from the floppy disk again.The tool will notice that the virus is not in memory and inoculate the system to avoid re-infection from other infected system.

Disclaimers and copyright information
Last Update April 19, 2001