Network Associates Finds NT Virus, Posts Fix
- By Scott Bekker
- December 22, 1998
If you find the words Remote Explorer within the services applet in the Windows NT Control Panel, your network has been infiltrated by what Network Associates Inc. (www.nai.com) claims is the most destructive Windows NT Server virus the company has ever seen. Dubbed Remote Explorer, the virus can cripple data files on a network.
The virus surfaced this past weekend at a Fortune 100 client of Network Associates. It infects Windows client computers at random via its own data file encryption algorithm.
Remote Explorer installs itself onto a Windows NT server, then multiplies without the need for users to open or run it. Remote Explorer attacks EXE, TXT and HTML files. The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS.
It also installs itself as a service, and carries a DLL that supports it in the infecting and encryption process. From preliminary analysis Network Associates claims that Remote Explorer spreads by stealing the security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis. Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms.
Thus far, Network Associates has found that the virus is most active on the weekends, and quieter during business hours.
According to Network Associates' it contains 120 kilobytes of binary code written in C, a massive amount of code for a virus, which are usually require only a few kilobytes.
Network Associates’ posted a detection and cleaning file at: http://www.nai.com/products/antivirus/remote_explorer.asp-- Thomas Sullivan, Staff Reporter/Reviews Editor
Scott Bekker is editor in chief of Redmond Channel Partner magazine.