Remote Explorer targets Windows NT computers. Could it strike your network next?

New Virus Changes the Rules

Remote Explorer targets Windows NT computers. Could it strike your network next?

A new computer virus, dubbed "Remote Explorer" or "RICHS," is the first to specifically target Windows NT computers and networks. Microsoft appears to be trying to minimize the importance and methods of the virus, while the leading anti-virus company is saying the computer virus war just got knocked up a notch. If nothing else, like macro viruses did a few years ago, it has increased the methods of virus replication and exposure.

Working hand-in-hand with MCI WorldCom, the only publicized victim of this virus so far, Network Associates is the lone vendor with a detector and removal process. The most notable innovation of this virus is its sophisticated employment of the NT Services’ mechanism. It doesn’t rely solely on the normal user propagation methods (such as infected boot sectors and floppy disks or e-mail attachments) to spread.

When a local administrator executes an infected file, the virus installs itself as an NT service. The rogue service waits for a domain administrator to log in locally and then uses the domain administrator’s privileges to infect executables across the network. What it can and can’t infect is determined by the security privileges of the locally logged on user and associated trusts. Of course, if you’re a domain administrator, your security permissions are usually far reaching. Microsoft and NT security experts are quick to point out that the virus doesn’t exploit any new security holes in the NT operating system; it’s just clever in its design.

Discovered at MCI WorldCom on December 17, Network Associates reported that more than 7,000 computers were infected in the one week before it was eradicated. This particular figure has become the subject of a heated debate within the anti-virus community; MCI WorldCom, wishing to avoid further publicity, won’t confirm the number of computers infected. The CERT Coordination Center (, which tracks and responds to Internet security events, reports that, "At least 50 NT servers, along with an undetermined number of Windows NT workstations" were hit.

Depending on how large the actual number of original infections were, it’s thought that MCI WorldCom’s multiple locations make it more likely that the infections spread to other networks. There have been a few unconfirmed reports of other entities hit by the virus, as well. "At least two other companies have been hit," said Vesselin Bontchev, anti-virus researcher associated with FRISK Software International (, makers of F-Prot.

When MCI WorldCom discovered how the virus propagated, it temporarily disabled its WAN. It’s important to note that the virus doesn’t spread across normal Internet connections and relies on trusted NT network connections to do its dirty work. A joint team of security experts, including those from Network Associates and Microsoft, are working together to discover all the virus’s actions, which have been hampered because the virus protects itself with encryption.

The memory-resident .EXE infector easily travels across WANs and LANs contaminating Windows-based networks. Although it doesn’t infect or replicate on Novell- or Unix-based networks, apparently it can be stored there. The virus can infect and damage files on Windows 95/98 PCs, but it can’t use those systems as a host to spread to other networks. NT systems are a different story.

How It Works

The virus code hides in an infected executable that must be run to activate the virus, much like a normal file-infecting virus. Running the executable installs the virus into memory, and it can then begin to randomly infect other executables and corrupt certain data files. Infected NT workstations then run executables located on the previously clean server, which infects it. Other previously clean NT workstations running the now infected server executables get brought into the vicious cycle. When a user logs on locally to an NT machine and runs an infected executable, the virus begins infecting more .EXE files.

The Unique Part

The virus checks to see if the local user has administrator privileges. If he or she does, the virus installs itself as an NT service and installs a related DLL into the \%SystemRoot%\System32\ directory. The IE403R.SYS helper file is placed into \%SystemRoot%\System32\Drivers. If the local user is a domain administrator, it borrows that person’s security credentials to spread throughout attached networks and find more executables to infect. It looks for remote administration processes to slip through remote security doors.

What the Virus Does

The Remote Explorer virus goes memory resident to randomly infect and compress targeted .EXE files. It compresses infected executables with a common Unix program called Gzip, which corrupts the file. Some initial reports indicated that the virus uses a separate encryption routine to make randomly selected data files unreadable, including .TXT and HTML files. It only encrypts files it can’t infect. Other than its compression and possible cipher routines, there’s no additional damage payload routine.

How to Tell You’re Infected

When the virus installs itself as a service, it’s listed as the "Remote Explorer" service on an infected system, or as "IE403R.SYS" or "TASKMGR.SYS" (not Taskmgr.exe) under the Processes tab. If you have these indications, your system—and others on your network—are infected. End users are more likely to report sudden application crashes or data that can’t be read.

More Remote Explorer Virus Facts
  • If you delete the virus’ DLL file without eradicating the whole virus, it will create another one.
  • The virus has a timing mechanism designed to speed up infection searches during the weekend hours of 3 p.m. Saturday to 6 a.m. Sunday when network surveillance and use is lower.
  • In a world where small is better, this computer virus is 125K, written in C, and compromising over 50,000 lines of code. This large size  might help prevent its spread.
  • This is perhaps the most sophisticated computer virus effort to date and was probably the work of a group of coordinated hackers.

Many unanswered technical questions still remain. Has there been any reported occurrence of the virus outside of MCI WorldCom? Also, was the outbreak as major as Network Associates was claiming? We’ll see.

Roger Grimes

What if Your NT Machine is Infected?

First, don’t panic!

Shut down the system and unplug the network cable to your network interface card to prevent further spreading across the network.

Immediately notify other users on the network and disconnect infected machines.

Because this virus is a memory resident infector, you can’t clean the virus while the system is up and running.

For NT machines with a FAT boot partition, boot with a clean DOS boot disk, then scan and clean using a virus scanner that detects and removes the Remote Explorer Virus. (At press time, Network Associate’s scanner is the only one that detects it).

For NT machines with NTFS boot partitions, keep the machine down until an NTFS detector and remover is made. If you must have the system back up as soon as possible, format the drive, reinstall NT, and restore from a known clean backup copy.

How To Protect Your Network Long-term

The first order of business is always to make sure you have a good tape backup. If the virus attacks and corrupts executables and data, you can recover to the point of the last good backup. There’s no better solution for complete protection.

Never run executable code or script files on your computer (including applets or HTML) that you don’t absolutely trust. Downloading and running code from an unknown source is just asking for trouble. The use of "signing" executables is going to become more common as we progress into the Internet future.

Keep your virus scanners up to date and use them. Even though Network Associates is the only vendor with a solution now, other anti virus vendors will follow.

Most major anti-virus companies now have comprehensive anti-virus solutions that protect everything from DOS to NT and have special protection for Web browsers, e-mail, and Lotus Notes servers.

Make sure you educate users about the signs and symptoms of computer viruses and how to prevent them.

Last, many NT security experts say to make sure you log in to your NT system with a non-administrator account for most of your work; and only logon as an Administrator when you have to. This will decrease the chance that a rogue piece of software can use your security privileges to do further damage.

Additional Information

What Does This Mean for the Future?

Because NT uses a fully protected memory space, future virus scanning solutions should be able to detect and remove NT computer viruses without affecting the rest of the system or requiring a reboot.

According to virus experts, most computer viruses are concocted by teenagers or young adults without the resources or understanding of how to write 32-bit executables, much less write code that uses NT’s own security to propagate. DOS-based viruses, which are much simpler to write, can already crash and infect NT. Most experts don’t expect a rash of this type of computer virus. NT-specific computer viruses are just another new security threat along with Java bombs and HTML viruses. Your anti-virus plan should take all forms of rogue programs into consideration.