Remote Explorer

From: David LeBlanc (dleblancat_private)
Date: Wed Dec 23 1998 - 08:41:02 PST

Next message: Rich Burroughs: "Re: Why you should avoid world-writable directories"

Previous message: Kragen Sitaker: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aleph asked me to post a summary of what's known about this thing - there
is still a lot to be learned, so this isn't all nailed down just yet.  My
sources of information include dissecting it myself, Bill Sobel of
Symantec, Vesselin Bontchev of F-Prot, and various denizens of the
NTBUGTRAQ mailing list.

Remote Explorer can act as both a virus and a worm.  If it is run by an
ordinary user on an NT system, it will proceed to locate executable files,
insert a compressed copy of the original executable into a copy of itself
as a resource, then replace the original (including file attributes and
access times).  If it is run by an administrator, it then installs itself
as a service.  When it runs as a service, it is operating under System user
context, and so will then open the shell process (typically explorer) and
copy the process token, which it then uses to spawn a new copy of itself
running under the context of the logged in user.  It then enumerates the
network and attempts to spread itself.  Whether it is installing itself as
a service remotely or is merely corrupting files isn't known.  It could be
doing either or both.  If it achieves running as a service, it qualifies as
a worm (actively spreads itself, rather than passively).

In addition to infecting executables, it also symmetrically encrypts
various data files.

Considering that if you log onto a machine to check it that it can steal
_your_ user context and propogate itself, it is best to check if it is
running as a service _remotely_.  It normally shows up as "Remote
Explorer", and can be located using sc from the Resource Kit, Server
Manager (point and click, so not practical for lots of machines), and the
ISS scanner will also find it (see the 'Unknown Services' check).  Once you
locate a copy of it running as a service, either use sc or Server Manager
to stop the service and set it to disabled.  Do not log on locally on a
machine with an active Remote Explorer service.  The various anti-virus
people are now coming up with disinfectors.

It appears that this may have been originated at MCI by a disgruntled
employee, and there are reports that the extent of the damage at MCI is far
less than Network Associates stated.  There are unconfirmed reports of it
being found outside MCI.

I'll repost when I have more information.


David LeBlanc
dleblancat_private

Next message: Rich Burroughs: "Re: Why you should avoid world-writable directories"
Previous message: Kragen Sitaker: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:50 PDT