Aleph asked me to post a summary of what's known about this thing - there is still a lot to be learned, so this isn't all nailed down just yet. My sources of information include dissecting it myself, Bill Sobel of Symantec, Vesselin Bontchev of F-Prot, and various denizens of the NTBUGTRAQ mailing list. Remote Explorer can act as both a virus and a worm. If it is run by an ordinary user on an NT system, it will proceed to locate executable files, insert a compressed copy of the original executable into a copy of itself as a resource, then replace the original (including file attributes and access times). If it is run by an administrator, it then installs itself as a service. When it runs as a service, it is operating under System user context, and so will then open the shell process (typically explorer) and copy the process token, which it then uses to spawn a new copy of itself running under the context of the logged in user. It then enumerates the network and attempts to spread itself. Whether it is installing itself as a service remotely or is merely corrupting files isn't known. It could be doing either or both. If it achieves running as a service, it qualifies as a worm (actively spreads itself, rather than passively). In addition to infecting executables, it also symmetrically encrypts various data files. Considering that if you log onto a machine to check it that it can steal _your_ user context and propogate itself, it is best to check if it is running as a service _remotely_. It normally shows up as "Remote Explorer", and can be located using sc from the Resource Kit, Server Manager (point and click, so not practical for lots of machines), and the ISS scanner will also find it (see the 'Unknown Services' check). Once you locate a copy of it running as a service, either use sc or Server Manager to stop the service and set it to disabled. Do not log on locally on a machine with an active Remote Explorer service. The various anti-virus people are now coming up with disinfectors. It appears that this may have been originated at MCI by a disgruntled employee, and there are reports that the extent of the damage at MCI is far less than Network Associates stated. There are unconfirmed reports of it being found outside MCI. I'll repost when I have more information. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:50 PDT