Remote Explorer: McAfee's selling trick or an interesting target?
Remote Explorer is this the virus to study?
"Remote Explorer" virus runs on Micro$oft Windoze NT servers and affects
common programs like Micro$oft Word. It cannot run on Windoze 9x because
this virus/trojan runs as a "service", which is only possible if you
are running Windoze NT as your op/sys and because Windows 9x lacks the
RPC functions that allow it to spread to it in the first place. You can
nevertheless have a file in win95 that's infected with the virus but
it won't do any damage to your system. Remote Explorer will only
affect NT computers.
Users clicking on their Word icon
might experience a slight delay, but otherwise would be unable to detect the
presence of the virus; meanwhile, the virus is busy corrupting files and
spreading to other programs. Micro$oft officials say they're "aware of
other viruses that have the same characteristics," and Network Associates
says it has developed a Remote Explorer detector and is working on a
solution to decode the affected files.
Remote Explorer. Here are the facts I found:
Discovered on December 17, 1998. Probably released by NAI (MacAffee) itself with
the complicity of MCI, else
heavily used by NAI to promote itself.
Primarily targets Microsoft Windows NT Servers and Workstation systems.
The virus is memory resident, encrypts EXE, TXT, and HTML files.
Spreads through a LAN/WAN environment.
Indications you are hosting the virus:
Open up the Services applet in the NT Control Panel. If you find
"Remote Explorer" listed as a service, this system is infected.
Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab,
if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the
system is infected.
The most outstanding characteristics is that it can move/transport
itself without typical user intervention (passed on floppy, via email)
and replicate like a worm.
It is the first infection program that spreads on either NT Servers,
and/or NT Workstations. It does so by compressing the target executable.
The virus installs itself on a system by creating a copy of itself in
the NT Driver directory and calls itself IE403R.SYS. It also installs
itself as a service with the name "Remote Explorer". It also carries a
DLL that supports it in the infecting and encryption process.
If the DLL is deleted it will make another copy.
Remote Explorer spreads by stealing
security privileges of the domain administrator, which allows it to
propagate to other Windows systems. Once there it infects files and
compresses them in addition to encrypting data on a random basis.
Windows NT is the primary method for the continued spread of this virus.
Other Windows operating systems can host infected files, but the virus
can not spread further on these platforms.
Can infect any EXE and when doing so uses a compression routine to
make the file unusable.
It uses an encryption algorithm on data files including TXT and HTML
formats. It appears to choose a directory randomly, and infects files
that meets the criteria it has set, and encrypts others that it can't
It is a 125-kilobyte file infector, comprised of approximately 50,000
lines of code. This is an extremely large and complex virus.
This large virus has been written in Microsoft Visual
is about 125K.
The original virus code occupies about 14K
GZIP routines - 20K
C run-time libraries - 40K
Other data are occupied by
resources and so on
The virus has quite an unusual structure: the infected files have
data segments, as well as three resources that contain compressed
The first resource contains the standard NT4
that is used by the virus to access processes in the system memory.
The second resource is the original virus code itself (including the
compressed PSAPI.DLL in the resource). This copy of virus code is
the original data to install the virus into the system and to infect
The third resource is the host file that is extracted and
when the virus needs to run the host program.
System Registry: while installing its SYS driver to the system the
uses standard NT API calls. That cause the system to register the
drivers in the system registry - the
Temporary files: while compressing/decompressing files the virus
create temporary files. It creates them in the Windows temporary
with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' -
It goes Memory Resident. Thus the infected system must be powered down,
and scanned from a "clean state" with a command line scanner (convenient
courtesy of NAI
Detection and removal are available
The virus has a time routine, which is designed to speed up the search
and infection process.
The virus infection, hiding and damage routines do work only in
hours: full day on Sunday and Saturday, only from
till 6:00 on other days. Otherwise the virus sets lowest priority
itself, and "sleeps" for long periods of time. So the virus runs its
routine in work-hours, but only in case nobody is accessing the
for the long time.
Hiding routine is run next to infection routine, and "cleans" virus
the system. First of all it looks for the windows with "TASKMGR.SYS,
Application Error" and "Dr.Watson for Windows NT" titles and closes
them if needs be.
So the virus bypasses the error messages caused by its bugs.
The virus then checks if its driver "sleeps" for too long time (more
one hour). In this case the virus kills the service.
The virus also deletes the DRWTSN32.LOG file as well as all "~*"
the Windows temporary directory.
NAI conveniently provided
a program (late 12/21/98) that will removes it from memory
without a reboot, removes the virus as a service, cleans and repairs
the encrypted data files, and all infected executables.
There are now a couple of things that I must add... this whole story has some
tracts of a typical urban legend/scam, made in order to sell
NAI products (which are lousy to say the least, btw). Yet some
of the descriptions I found seem to have a solid base.
Let's put some order in all this mess:
first of all
the Remote Explorer virus seems to be extremely rare. Likelihood of
infection seems to me therefore very low.
At this time, only one company has
been known to have been infected and I couldn't find the virus on
any Internet sites, anti-virus ftps or hacker BBSs (and I know how to search
Es ist sure that McAfee over-hyped the panic
for PR purposes. They have always been very good at this.
I don't know if they went so far as to create it themselves (M$ C++? Mmmm...
I doubt that this virus
has really escaped 'in the wild', but if it is,
and if anyone of my readers gets
his hands on a copy of it, we may try to reverse its code.
I have searched the web -until now in vain- and
I'll keep trying.
As soon as I catch or get a copy of Remote Explorer
it I'll reverse it.
If anyone out there discovers a file called IE403R.SYS, having a
date/time stamp of 12/20/98-1:22:48am (EDT I believe), and a size of
125,440 bytes, please send me a copy. I'll publish the code as soon as
I have reversed it.
Yet many small things make me believe that this is only a silly
McAfee's hype and a marketing trick... have a look at
their disgusting banners at
The hyperbole that is oozing out of some corporation's marketing and PR
wings is getting pretty hard to take, and I believe we should begin
to retaliate... a reason more to disassemble this virus... as you probably know,
each programmer has his 'style' (even in overbloated M$ C++) and it
should be possible to understand if really a 'disgruntled employee' at MCI
or some of the guys at NAI has concocted this.
Some snippets from
the wide web:
Russ, the NTBugtraq moderator):
I have been contacted by Intel, Panda Software, Symantec, and other
private virus researchers hoping to get copies of the virus. NAI did not
make the virus available to the anti-virus community until late this
afternoon. A source told me that Microsoft were told they had to sign a
non-disclosure agreement with NAI in order to get a copy of it
ISS Security Advisory:
There have been no confirmed reports of the virus existing
outside of the original reporting site, with the exception of copies
obtained by virus researchers. There are indications that the original
virus may have been installed by a disgruntled employee.
Sounds all pretty fishy from a reverser standpoint, yet
some real experts on this field seem to believe that a limited
number of copies may indeed
have escaped 'in the wild'.
Now, since NAI is clearly the real culprit of this situation
and the only
responsible of the possible spreading of this virus, and since
our interest for this kind of virii in the context of our
"Micro$oft bashing" campaign and our reversing capabilities
is obvious... our reversing deed
would also hit NAI right on their heads... reversing code and at the same
time reversing a marketing department trick... nice deed, wouldn't you say?
Bye bye McAffee... eh?
So, go forth and catch it, friends NT-administrators!
Pattern files that will detect as clean the virus:
The virus is the first native "memory resident" NT infector, so it
look as some super-virus. Actually the virus was written by some
middle-level developer that has access to the NT
The virus does not hook any NT event, does not use any network
does not try to access the passwords, and spread its copy over the
network. Moreover, the ordinary DOS parasitic viruses have the same
spreading abilities like this virus has - they also can infect files
remote shared drives, stays in the system memory, e.t.c.
This is just a standard parasitic virus, but with NT service
ability. It is not more complex than some other already known
viruses are, and definitely not more complex than the well-known BO
(BackOrifice) from our CoDC friends...
this virus is not a shock at all - it is the long awaited
virus. Let's catch it and reverse it!
For more information:
CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at
Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at
http://www.avp.com (free detector-cleaner)
Data Fellows Computer Virus Information Pages for RemExp, also known as
Rich, Remote_Explorer, IE403R.SYS, RICHS at
Microsoft Security Advisor "Information on the 'Remote Explorer' or
'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp