NISER > Alerts > MyCERT Advisories & Summaries > MA-002.121998: Remote Explorer Virus
MA-002.121998: Remote Explorer Virus
Original Issue Date: December 23, 1998
TOPIC : Beware of "Remote Explorer" Virus on Windows NT!
MyCERT has received a report regarding a new virus, Remote Explorer, that can propagates itself on "NT Networks" and attacks Microsoft machine in administrator mode. It will spread quickly inside a single NT-based organization but does not easily spread from one company to another. When it resides on a machine, it will attempt to compress .EXE files which will make the files unusable for execution. The virus will also encrypts data files including .HTML and .TXT format which will renders it useless and unreadable.
Virus name: Remote Explorer
Alias: Rich, IE403R.SYS, RemExp,TASKMGR.SYS, RICHS
Primary targets: Windows NT server/Workstation
Date discovered: December 17, 1998
The Remote Explorer virus is the first "network smart" virus. It can move/transport itself through LAN/WAN environment without typical user intervention, and replicate; ie firstly, it will try to steal domain administrator's security priveleges inside an NT network. Once it does, it accesses other NT servers and NT workstations in the network, copies itself over and starts itself again in a new machine. At the moment, other Windows (95/98) operating system can only host the infected files, but the virus cannot spread further on this platform. Also, note that this virus cannot automatically pass through properly configured corporate firewalls.
It will make any .EXE files unusable by compressing the files (using GZIP).
It will encrypts any data files including .TXT and .HTML format on a random basis, making it impossible to read.
Indications You Are Hosting The Virus
Click at Start-->Settings-->Control Panel-->Services. If you find "Remote Explorer" listed as the service, this system is infected.
Click at Start-->Run-->type TASKMGR-->click Processes. If IE403R.SYS or TASKMGR.SYS (not .EXE) listed as the processes, the system is infected.
Methods of Infections
If you haven't done so already, download the latest evaluation copies of VirusScan NT and Netshield NT version 4.02 from McAfee Online at:
Download the following supplemental Extra.ZIP file which contains the protection against the "Remote Explorer" virus :
If you are using VirusScan NT 3.x and Netshield NT 3.x, download the 3201.ZIP file from this site:
Norton AntiVirus users
Download latest Intelligent Updater packages from the following web site:
The virus is still being investigate. At the moment, there is no cleaning tool to remove the encryption from the data files or decompress the infected file.
Things To Do If Your Machine Is Being Infected
Shut down the infected system.
Remove the machine's network cable.
Determine which other system this machine has primary contact. Quarantine this network as well.
NT system using FAT as their boot partition.
- Boot clean the system from a known clean floppy diskette. Scan all hard drive with an NAI command line scanner.
NT system using NTFS as their boot partition.
- Isolate the system or keep the system powered down until a solution is found. If you want this system up and running, reformat the drives and restore from backups.
Windows 95/98 Infections
Boot clean the system from a known clean floppy diskette. Scan all hard drives with an NAI command line scanner.
After scan completes, delete or move suspected files from the operating system environment.
Reboot the system to Windows.
Install Netshield NT or VirusScan NT Version 4.02 (for NT) or VirusScan 98 (for Win 95/98).
For Norton Anti Virus user, if you are already infected by the Remote Explorer Virus, follow the following procedure to repair your system:
From an uninfected computer, dowmload the REREMOVE.EXE file from the following web site:
Place the REREMOVE.EXE tool on a floppy diskette and write protect the diskette.
Disconnect the system from the network or disable shared drives so that other systems cannot be infected cannot access the system infected.
Make sure you are logged in with Administrator access and run REREMOVE.EXE tool from the floppy disk. Now the virus should have been removed from memory and has been disabled.
Update the virus definition using the Intelligent Updater from this site :
Run Norton AntiVirus to repair all infected files and restore the files that have been encrypted by this virus. Reboot the Window NT system.
Run the REREMOVE.EXE tool from the floppy disk again.The tool will notice that the virus is not in memory and inoculate the system to avoid re-infection from other infected system.
Disclaimers and copyright information
Last Update April 19, 2001