what you don't know can hurt you

iss.99-01-06.remote_explorer

iss.99-01-06.remote_explorer
Posted Feb 1, 1999

iss.99-01-06.remote_explorer

MD5 | 09c75778a73dcaf500a5d3dbeaf55597

iss.99-01-06.remote_explorer

Change Mirror Download

From xforce@iss.net Wed Jan 6 16:15:06 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Wed, 6 Jan 1999 15:05:48 -0500 (EST)
Subject: ISSalert: ISS Vulnerability Alert: Remote Explorer

-----BEGIN PGP SIGNED MESSAGE-----

ISS Vulnerability Alert
January 6, 1999

Remote Explorer


Synopsis:

Remote Explorer is an application that runs on Microsoft Windows NT(tm)
systems and is capable of behaving as either a virus or a worm. The
virus has only been found on limited portions of one corporate network.
At this time, there are no confirmed reports of Remote Explorer being
found on any other networks.

Remote Explorer can be detected using sc.exe from the Resource Kit and
tools that ship with Windows NT. It can also be detected with Internet
Security System's (ISS) Internet Scanner(tm) for Windows NT security
assessment software. Several anti-virus vendors currently ship software
that will remove the virus from a system.


Description:

Remote Explorer is capable of running both as an executable and as a
Windows NT service. When present in executable form, the virus will store
the host executable as a resource, along with a copy of PSAPI.DLL.
Resources are how a Windows executable stores icons, dialogs, and other
information that might be needed. When the virus executes, it first
attempts to install itself as a service, and copies itself to ie403.sys.
Ie403.sys is typically found in %systemroot%\system32\drivers and
%systemroot is normally c:\winnt. If the user who invokes the virus is
not an administrator, the virus cannot be installed as a service. It
will then copy the host executable to a temporary file and start the
application. As a result, applications might not behave normally.

When the virus is running as a service, it will check for a logon every
10 minutes. If a user has logged on, it will acquire their process token
(or user credentials), copy itself to taskmgr.sys, and start that process
using the credentials of that user. It will then search the disk for
executables which are not in the %systemroot% or C:\Program Files trees,
and will then infect those files. This is accomplished by compressing the
files using the same algorithm as gzip and storing the host, as a resource,
into a copy of the virus. Remote Explorer then sets the file attributes
(access times, etc.) of the virus to that of the host file, and replaces
the host file. If the virus has been invoked by the service, it can also
access any network shares available to the user that the process is
impersonating.

There are conflicting reports as to whether the virus compresses documents
on an infected computer. If so, the compression should be reversible.

The virus also lays dormant during normal working hours, and appears to
only become active during the hours of 9PM to 6AM, and all hours during
weekends. It is also apparently quite buggy, and takes measures to clean
up any errors that may occur by erasing Dr. Watson logs and closing any
error windows that might occur because of the virus' processes.

The virus has been reported as an entirely new class, and with respect to
using Windows NT services, that is true. However, most of its mechanisms
follow normal viral behavior. The choice to use Windows NT services makes
it relatively easy to detect.

This virus does not exploit any security weaknesses in Windows NT, and
requires an administrator to run a Trojan executable in order for it to
be installed as a service.

Initial reports were that several thousand corporate machines were
infected, severely disrupting that company's network operations. However,
CERT(R) reports that 50 machines were infected. Contacts within the
affected company confirm that the number of infected machines was somewhat
less than 50, and that the disruption was confined to a test network.
There have been no confirmed reports of the virus existing outside of the
original reporting site, with the exception of copies obtained by virus
researchers. There are indications that the original virus may have been
installed by a disgruntled employee.


Recommendations:

Any tool that is capable of enumerating Windows NT services can find the
virus if it is present as a service. Server Manager, which ships with
Windows NT Server and the Windows NT Resource Kit, can be used to find
the service:

1. Select the host.
2. From the Computer menu, choose Services. The Services window appears.
3. From the Services window, determine if "Remote Explorer" is running.
4. If Remote Explorer is running, select it.
5. Choose Startup and set the Startup Type to Disabled.
6. Click OK to disable the service.
7. Click the Stop button to halt the service. Click Yes to confirm.

Alternately, sc.exe from the Windows NT Resource Kit can be used to both
detect and stop the virus. See the documentation on sc for details.

ISS Internet Scanner for Windows NT can also be used to detect the virus,
and has the advantage of only requiring user-level access to the host
(the standard tools require administrator access):

1. Load a scan session.
2. From the Policy menu, choose Edit.
3. Select the NT Services tab, then verify that the "Report Unknown
Services" check is enabled. If Remote Explorer is present, it will be
reported on screen as "Unknown NT Service - Remote Explorer".

Scanning can effectively and quickly check large numbers of hosts.

If possible, remotely disable the Remote Explorer service and use an
anti-virus tool of your choice to make sure that all infected executables
are cleaned.


Credits:

Information in this report was provided by Vesselin Bontchev of F-Prot,
Bill Sobel of Symantec, Russ Cooper (moderator of NTBUGTRAQ), Microsoft,
as well as an investigation by ISS' X-Force. We also thank Microsoft for
providing assistance in our investigation.


For more information:
CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at
http://www.cert.org/incident_notes/IN-98-07.html

Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at
http://www.avp.com (free detector-cleaner)

Data Fellows Computer Virus Information Pages for RemExp, also known as
Rich, Remote_Explorer, IE403R.SYS, RICHS at
http://www.datafellows.com/v-descs/rich.htm

Microsoft Security Advisor "Information on the 'Remote Explorer' or
'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp

__________


Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNpO+yjRfJiV99eG9AQH5cgQAss5q0Lx41v3HS9q1ve9VE8pVv8xBkhD9
jmo/eZ7SItn6v2CBHnxHcLmSx7UtUUfRZFMyANi7oCQytVMdW7duaKOKsbqMqfJq
31Zmcmtew5zjluYZTCXt/tTaVpqCeKgWYK22Vo3EHQehqej+5zpk99ZOe48ThM1u
kaYFxy0rJP4=
=FM/u
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    9 Files
  • 15
    May 15th
    2 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    21 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close