By Timothy Prickett Morgan
A new computer virus targeted to disrupt the operation of both the server and workstation versions of Microsoft’s Windows NT operating system broke out on the networks of telecom giant MCI Worldcom over the weekend. Antivirus software maker Network Associates and Microsoft have been working since then to contain the virus, called Remote Explorer, and develop an antidote to it. The Remote Explorer virus is (cover your eyes if you are the hacker who created it) particularly large and clever. Initial analysis by Network Associates indicates that it took about 200 man-hours to create Remote Explorer, which also includes some pre-compiled code obtained from other sources (which were not identified by Network Associates). The virus contains about 50,000 lines of C code, which compiles down to about 125 kilobytes. That’s big for a virus, and there’s a reason for it. It seems that Remote Explorer holds the dubious honor of being the first virus that is able to replicate itself over a Windows NT network without any particular action on the part of end users of the servers and the workstations attached to them. Remote Explorer does this by stealing the access privileges of NT system administrators, who obviously have access to server and client profiles. Once the virus gains access to these privileges, it moves onto machines and randomly compresses program files and encrypts data files so neither can be used by end users. The primary means of transmission of the virus is between NT machines, but Remote Explorer files can move onto Windows 95 and Windows 98 machines and corrupt their files as well. The virus reportedly can also move itself onto NetWare, Unix and Linux machines and, presumably, lie in wait to re-infect Windows machines. At this point, the virus doesn’t seem to be able to actually run on Unix machines, and it is unclear what it will do on a NetWare box. The virus apparently attempts to run between 3 PM on Saturday and 6 AM on Sunday, a time when computer systems are typically not very active and server and network resources can be used more fully to speed up the infection process. Network Associates says its NetShield and VirusScan programs for Windows NT and Windows 95/98 can identify the virus if updated with a patch (go to www.nai.com/products/antivirus/remote_explorer.asp for more details) and that it is working on a program that will remove it from memory without having to reboot the Windows NT and 95/98 machines, remove the virus and clean and repair encrypted data files and infected executables.
