Remote Explorer targets Windows NT computers. Could it
strike your network next?
New Virus Changes the Rules
Remote Explorer targets Windows NT computers. Could it
strike your network next?
- By Roger A. Grimes
- January 01, 1999
A new computer virus, dubbed "Remote Explorer"
or "RICHS," is the first to specifically target
Windows NT computers and networks. Microsoft appears to
be trying to minimize the importance and methods of the
virus, while the leading anti-virus company is saying
the computer virus war just got knocked up a notch. If
nothing else, like macro viruses did a few years ago,
it has increased the methods of virus replication and
Working hand-in-hand with MCI WorldCom, the only publicized
victim of this virus so far, Network Associates is the
lone vendor with a detector and removal process. The most
notable innovation of this virus is its sophisticated
employment of the NT Services mechanism. It doesnt
rely solely on the normal user propagation methods (such
as infected boot sectors and floppy disks or e-mail attachments)
When a local administrator executes an infected file,
the virus installs itself as an NT service. The rogue
service waits for a domain administrator to log in locally
and then uses the domain administrators privileges
to infect executables across the network. What it can
and cant infect is determined by the security privileges
of the locally logged on user and associated trusts. Of
course, if youre a domain administrator, your security
permissions are usually far reaching. Microsoft and NT
security experts are quick to point out that the virus
doesnt exploit any new security holes in the NT
operating system; its just clever in its design.
Discovered at MCI WorldCom on December 17, Network Associates
reported that more than 7,000 computers were infected
in the one week before it was eradicated. This particular
figure has become the subject of a heated debate within
the anti-virus community; MCI WorldCom, wishing to avoid
further publicity, wont confirm the number of computers
infected. The CERT Coordination Center (www.cert.org),
which tracks and responds to Internet security events,
reports that, "At least 50 NT servers, along with
an undetermined number of Windows NT workstations"
Depending on how large the actual number of original
infections were, its thought that MCI WorldComs
multiple locations make it more likely that the infections
spread to other networks. There have been a few unconfirmed
reports of other entities hit by the virus, as well. "At
least two other companies have been hit," said Vesselin
Bontchev, anti-virus researcher associated with FRISK
Software International (www.datafellows.fi),
makers of F-Prot.
When MCI WorldCom discovered how the virus propagated,
it temporarily disabled its WAN. Its important to
note that the virus doesnt spread across normal
Internet connections and relies on trusted NT network
connections to do its dirty work. A joint team of security
experts, including those from Network Associates and Microsoft,
are working together to discover all the viruss
actions, which have been hampered because the virus protects
itself with encryption.
The memory-resident .EXE infector easily travels across
WANs and LANs contaminating Windows-based networks. Although
it doesnt infect or replicate on Novell- or Unix-based
networks, apparently it can be stored there. The virus
can infect and damage files on Windows 95/98 PCs, but
it cant use those systems as a host to spread to
other networks. NT systems are a different story.
How It Works
The virus code hides in an infected executable that must
be run to activate the virus, much like a normal file-infecting
virus. Running the executable installs the virus into
memory, and it can then begin to randomly infect other
executables and corrupt certain data files. Infected NT
workstations then run executables located on the previously
clean server, which infects it. Other previously clean
NT workstations running the now infected server executables
get brought into the vicious cycle. When a user logs on
locally to an NT machine and runs an infected executable,
the virus begins infecting more .EXE files.
The Unique Part
The virus checks to see if the local user has administrator
privileges. If he or she does, the virus installs itself
as an NT service and installs a related DLL into the \%SystemRoot%\System32\
directory. The IE403R.SYS helper file is placed into \%SystemRoot%\System32\Drivers.
If the local user is a domain administrator, it borrows
that persons security credentials to spread throughout
attached networks and find more executables to infect.
It looks for remote administration processes to slip through
remote security doors.
What the Virus Does
The Remote Explorer virus goes memory resident to randomly
infect and compress targeted .EXE files. It compresses
infected executables with a common Unix program called
Gzip, which corrupts the file. Some initial reports indicated
that the virus uses a separate encryption routine to make
randomly selected data files unreadable, including .TXT
and HTML files. It only encrypts files it cant infect.
Other than its compression and possible cipher routines,
theres no additional damage payload routine.
How to Tell Youre Infected
When the virus installs itself as a service, its
listed as the "Remote Explorer" service on an
infected system, or as "IE403R.SYS" or "TASKMGR.SYS"
(not Taskmgr.exe) under the Processes tab. If you have
these indications, your systemand others on your
networkare infected. End users are more likely to
report sudden application crashes or data that cant
Remote Explorer Virus Facts
- If you delete the virus DLL
file without eradicating the whole
virus, it will create another one.
- The virus has a timing mechanism
designed to speed up infection searches
during the weekend hours of 3 p.m.
Saturday to 6 a.m. Sunday when network
surveillance and use is lower.
- In a world where small is better,
this computer virus is 125K, written
in C, and compromising over 50,000
lines of code. This large size
might help prevent its spread.
- This is perhaps the most sophisticated
computer virus effort to date and
was probably the work of a group of
Many unanswered technical questions
still remain. Has there been any reported
occurrence of the virus outside of MCI
WorldCom? Also, was the outbreak as
major as Network Associates was claiming?
What if Your NT Machine is Infected?
First, dont panic!
Shut down the system and unplug the network cable to
your network interface card to prevent further spreading
across the network.
Immediately notify other users on the network and disconnect
Because this virus is a memory resident infector, you
cant clean the virus while the system is up and
For NT machines with a FAT boot partition, boot with
a clean DOS boot disk, then scan and clean using a virus
scanner that detects and removes the Remote Explorer Virus.
(At press time, Network Associates scanner is the
only one that detects it).
For NT machines with NTFS boot partitions, keep the machine
down until an NTFS detector and remover is made. If you
must have the system back up as soon as possible, format
the drive, reinstall NT, and restore from a known clean
How To Protect Your Network Long-term
The first order of business is always to make sure you
have a good tape backup. If the virus attacks and corrupts
executables and data, you can recover to the point of
the last good backup. Theres no better solution
for complete protection.
Never run executable code or script files on your computer
(including applets or HTML) that you dont absolutely
trust. Downloading and running code from an unknown source
is just asking for trouble. The use of "signing"
executables is going to become more common as we progress
into the Internet future.
Keep your virus scanners up to date and use them. Even
though Network Associates is the only vendor with a solution
now, other anti virus vendors will follow.
Most major anti-virus companies now have comprehensive
anti-virus solutions that protect everything from DOS
to NT and have special protection for Web browsers, e-mail,
and Lotus Notes servers.
Make sure you educate users about the signs and symptoms
of computer viruses and how to prevent them.
Last, many NT security experts say to make sure you log
in to your NT system with a non-administrator account
for most of your work; and only logon as an Administrator
when you have to. This will decrease the chance that a
rogue piece of software can use your security privileges
to do further damage.
What Does This Mean for the Future?
Because NT uses a fully protected memory space, future
virus scanning solutions should be able to detect and
remove NT computer viruses without affecting the rest
of the system or requiring a reboot.
According to virus experts, most computer viruses are
concocted by teenagers or young adults without the resources
or understanding of how to write 32-bit executables, much
less write code that uses NTs own security to propagate.
DOS-based viruses, which are much simpler to write, can
already crash and infect NT. Most experts dont expect
a rash of this type of computer virus. NT-specific computer
viruses are just another new security threat along with
Java bombs and HTML viruses. Your anti-virus plan should
take all forms of rogue programs into consideration.