From ciac@rumpole.llnl.gov Sat Jan 23 13:04:03 1999
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Date: Fri, 22 Jan 1999 15:14:25 -0800 (PST)
Subject: CIAC Bulletin J-024: Windows NT Remote Explorer

[  For Public Release  ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                           Windows NT Remote Explorer

January 20, 1999 17:00 GMT                                        Number J-024
______________________________________________________________________________
PROBLEM:       Remote Explorer is an application that has the capability of 
               behaving as either a virus or a worm. 
PLATFORM:      Microsoft Windows NT 
DAMAGE:        When running as an executable, applications might not behave 
               normally. When running as a service, the virus can set the file 
               attributes to that of the host file and replace the host file. 
SOLUTION:      Listed under 'Recommendations' below are steps that can be 
               taken to locate the virus and disable it if it is running as a 
               service.
______________________________________________________________________________
VULNERABILITY  Risk is low. This virus does not exploit any security 
ASSESSMENT:    weaknesses in Windows NT, and requires an administrator to run 
               a Trojan executable in order for it to be installed as a 
               service.  CIAC HAS NOT SEEN ANY EVIDENCE OF THIS VIRUS 
               BEING IN THE WILD.  THERE HAVE BEEN NO CONFIRMED REPORTS
               OUTSIDE OF THE ORIGINAL REPORTING SITE.
______________________________________________________________________________


[ Start ISS Security Advisory ]

ISS Security Advisory
January 5, 1999

Remote Explorer


Synopsis:

Remote Explorer is an application that runs on Microsoft Windows NT(tm)
systems and is capable of behaving as either a virus or a worm.  The
virus has only been found on limited portions of one corporate network.
At this time, there are no confirmed reports of Remote Explorer being
found on any other networks.

Remote Explorer can be detected using sc.exe from the Resource Kit and
tools that ship with Windows NT. It can also be detected with Internet
Security System's (ISS) Internet Scanner(tm) for Windows NT security
assessment software.  Several anti-virus vendors currently ship software
that will remove the virus from a system.


Description:

Remote Explorer is capable of running both as an executable and as a
Windows NT service.  When present in executable form, the virus will
store the host executable as a resource, along with a copy of PSAPI.DLL.
Resources are how a Windows executable stores icons, dialogs, and other
information that might be needed.  When the virus executes, it first
attempts to install itself as a service, and copies itself to ie403.sys.
Ie403.sys is typically found in %systemroot%\system32\drivers and
%systemroot is normally c:\winnt.  If the user who invokes the virus is
not an administrator, the virus cannot be installed as a service.  It
will then copy the host executable to a temporary file and start the
application.  As a result, applications might not behave normally.

When the virus is running as a service, it will check for a logon every
10 minutes.  If a user has logged on, it will acquire their process token
(or user credentials), copy itself to taskmgr.sys, and start that process
using the credentials of that user.  It will then search the disk for
executables which are not in the %systemroot% or C:\Program Files trees,
and will then infect those files. This is accomplished by compressing the
files using the same algorithm as gzip and storing the host, as a resource, 
into a copy of the virus. Remote Explorer then sets the file attributes
(access times, etc.) of the virus to that of the host file, and replaces
the host file.  If the virus has been invoked by the service, it can also
access any network shares available to the user that the process is
impersonating.

There are conflicting reports as to whether the virus compresses documents
on an infected computer.  If so, the compression should be reversible.

The virus also lays dormant during normal working hours, and appears to
only become active during the hours of 9PM to 6AM, and all hours during
weekends.  It is also apparently quite buggy, and takes measures to clean
up any errors that may occur by erasing Dr. Watson logs and closing any
error windows that might occur because of the virus' processes.  

The virus has been reported as an entirely new class, and with respect to
using Windows NT services, that is true.  However, most of its mechanisms
follow normal viral behavior.  The choice to use Windows NT services
makes it relatively easy to detect.

This virus does not exploit any security weaknesses in Windows NT, and
requires an administrator to run a Trojan executable in order for it to
be installed as a service.

Initial reports were that several thousand corporate machines were
infected, severely disrupting that company's network operations. However,
CERT(R) reports that 50 machines were infected.  Contacts within the
affected company confirm that the number of infected machines was
somewhat less than 50, and that the disruption was confined to a test
network.  There have been no confirmed reports of the virus existing
outside of the original reporting site, with the exception of copies
obtained by virus researchers.  There are indications that the original
virus may have been installed by a disgruntled employee.


Recommendations:

Any tool that is capable of enumerating Windows NT services can find the
virus if it is present as a service.  Server Manager, which ships with
Windows NT Server and the Windows NT Resource Kit, can be used to find
the service:

1. Select the host.
2. From the Computer menu, choose Services. The Services window appears.
3. From the Services window, determine if "Remote Explorer" is running.
4. If Remote Explorer is running, select it.
5. Choose Startup and set the Startup Type to Disabled.
6. Click OK to disable the service.
7. Click the Stop button to halt the service. Click Yes to confirm.

Alternately, sc.exe from the Windows NT Resource Kit can be used to both
detect and stop the virus.  See the documentation on sc for details.

ISS Internet Scanner for Windows NT can also be used to detect the virus,
and has the advantage of only requiring user-level access to the host
(the standard tools require administrator access):

1. Load a scan session.
2. From the Policy menu, choose Edit.
3. Select the NT Services tab, then verify that the "Report Unknown
   Services" check is enabled. If Remote Explorer is present, it will be
   reported on screen as "Unknown NT Service - Remote Explorer".

Scanning can effectively and quickly check large numbers of hosts.

If possible, remotely disable the Remote Explorer service and use an
anti-virus tool of your choice to make sure that all infected executables
are cleaned.


Credits:

Information in this report was provided by Vesselin Bontchev of F-Prot,
Bill Sobel of Symantec, Russ Cooper (moderator of NTBUGTRAQ), Microsoft,
as well as an investigation by ISS' X-Force.  We also thank Microsoft for
providing assistance in our investigation.


For more information:

CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at
http://www.cert.org/incident_notes/IN-98-07.html

Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at
http://www.avp.com (free detector-cleaner)

Data Fellows Computer Virus Information Pages for RemExp, also known as
Rich, Remote_Explorer, IE403R.SYS, RICHS at 
http://www.datafellows.com/v-descs/rich.htm

Microsoft Security Advisor "Information on the 'Remote Explorer' or
'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp

- - -------------

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of X-Force.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


[ End ISS Security Advisory ]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Internet Security Systems, 
Inc. for the information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-bulletin 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-014: IBM AIX automountd Vulnerability
J-015: HP SharedX Denial-of-Service Vulnerability
J-016: Cisco IOS DFS Access List Leakage Vulnerabilities
J-017: HP-UX vacation Security Vulnerability
J-018: HTML Viruses
J-019: Intelligent Peripherals Create Security Risk 
J-020: SGI IRIX fcagent daemon Vulnerability
J-021: Sun Solaris Vulnerabilities ( dtmail, passwd )
J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
J-023: Cisco IOS Syslog Denial-of-Service Vulnerability




-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNqkA3rnzJzdsy3QZAQEbjwP9GfzrF4OkDXbt5QknE+WtWFnueW6o1JZd
8bANQEWI3Gcs68SPsnfkGLyp0MZUo1TbwjoPLdUqQ/bLXESLs2je3oMkg66qBGjW
k9q7lU73ZyVkDzZSAD1diZbNSGFRY3h4N1aLtKpigyeSIuWQV7dYOkmAzJmsC+y8
1KUnQDgGQrQ=
=WcpX
-----END PGP SIGNATURE-----