-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Windows NT Remote Explorer January 20, 1999 17:00 GMT Number J-024 ______________________________________________________________________________ PROBLEM: Remote Explorer is an application that has the capability of behaving as either a virus or a worm. PLATFORM: Microsoft Windows NT DAMAGE: When running as an executable, applications might not behave normally. When running as a service, the virus can set the file attributes to that of the host file and replace the host file. SOLUTION: Listed under 'Recommendations' below are steps that can be taken to locate the virus and disable it if it is running as a service. ______________________________________________________________________________ VULNERABILITY Risk is low. This virus does not exploit any security ASSESSMENT: weaknesses in Windows NT, and requires an administrator to run a Trojan executable in order for it to be installed as a service. CIAC HAS NOT SEEN ANY EVIDENCE OF THIS VIRUS BEING IN THE WILD. THERE HAVE BEEN NO CONFIRMED REPORTS OUTSIDE OF THE ORIGINAL REPORTING SITE. ______________________________________________________________________________ [ Start ISS Security Advisory ] ISS Security Advisory January 5, 1999 Remote Explorer Synopsis: Remote Explorer is an application that runs on Microsoft Windows NT(tm) systems and is capable of behaving as either a virus or a worm. The virus has only been found on limited portions of one corporate network. At this time, there are no confirmed reports of Remote Explorer being found on any other networks. Remote Explorer can be detected using sc.exe from the Resource Kit and tools that ship with Windows NT. It can also be detected with Internet Security System's (ISS) Internet Scanner(tm) for Windows NT security assessment software. Several anti-virus vendors currently ship software that will remove the virus from a system. Description: Remote Explorer is capable of running both as an executable and as a Windows NT service. When present in executable form, the virus will store the host executable as a resource, along with a copy of PSAPI.DLL. Resources are how a Windows executable stores icons, dialogs, and other information that might be needed. When the virus executes, it first attempts to install itself as a service, and copies itself to ie403.sys. Ie403.sys is typically found in %systemroot%\system32\drivers and %systemroot is normally c:\winnt. If the user who invokes the virus is not an administrator, the virus cannot be installed as a service. It will then copy the host executable to a temporary file and start the application. As a result, applications might not behave normally. When the virus is running as a service, it will check for a logon every 10 minutes. If a user has logged on, it will acquire their process token (or user credentials), copy itself to taskmgr.sys, and start that process using the credentials of that user. It will then search the disk for executables which are not in the %systemroot% or C:\Program Files trees, and will then infect those files. This is accomplished by compressing the files using the same algorithm as gzip and storing the host, as a resource, into a copy of the virus. Remote Explorer then sets the file attributes (access times, etc.) of the virus to that of the host file, and replaces the host file. If the virus has been invoked by the service, it can also access any network shares available to the user that the process is impersonating. There are conflicting reports as to whether the virus compresses documents on an infected computer. If so, the compression should be reversible. The virus also lays dormant during normal working hours, and appears to only become active during the hours of 9PM to 6AM, and all hours during weekends. It is also apparently quite buggy, and takes measures to clean up any errors that may occur by erasing Dr. Watson logs and closing any error windows that might occur because of the virus' processes. The virus has been reported as an entirely new class, and with respect to using Windows NT services, that is true. However, most of its mechanisms follow normal viral behavior. The choice to use Windows NT services makes it relatively easy to detect. This virus does not exploit any security weaknesses in Windows NT, and requires an administrator to run a Trojan executable in order for it to be installed as a service. Initial reports were that several thousand corporate machines were infected, severely disrupting that company's network operations. However, CERT(R) reports that 50 machines were infected. Contacts within the affected company confirm that the number of infected machines was somewhat less than 50, and that the disruption was confined to a test network. There have been no confirmed reports of the virus existing outside of the original reporting site, with the exception of copies obtained by virus researchers. There are indications that the original virus may have been installed by a disgruntled employee. Recommendations: Any tool that is capable of enumerating Windows NT services can find the virus if it is present as a service. Server Manager, which ships with Windows NT Server and the Windows NT Resource Kit, can be used to find the service: 1. Select the host. 2. From the Computer menu, choose Services. The Services window appears. 3. From the Services window, determine if "Remote Explorer" is running. 4. If Remote Explorer is running, select it. 5. Choose Startup and set the Startup Type to Disabled. 6. Click OK to disable the service. 7. Click the Stop button to halt the service. Click Yes to confirm. Alternately, sc.exe from the Windows NT Resource Kit can be used to both detect and stop the virus. See the documentation on sc for details. ISS Internet Scanner for Windows NT can also be used to detect the virus, and has the advantage of only requiring user-level access to the host (the standard tools require administrator access): 1. Load a scan session. 2. From the Policy menu, choose Edit. 3. Select the NT Services tab, then verify that the "Report Unknown Services" check is enabled. If Remote Explorer is present, it will be reported on screen as "Unknown NT Service - Remote Explorer". Scanning can effectively and quickly check large numbers of hosts. If possible, remotely disable the Remote Explorer service and use an anti-virus tool of your choice to make sure that all infected executables are cleaned. Credits: Information in this report was provided by Vesselin Bontchev of F-Prot, Bill Sobel of Symantec, Russ Cooper (moderator of NTBUGTRAQ), Microsoft, as well as an investigation by ISS' X-Force. We also thank Microsoft for providing assistance in our investigation. For more information: CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at http://www.cert.org/incident_notes/IN-98-07.html Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at http://www.avp.com (free detector-cleaner) Data Fellows Computer Virus Information Pages for RemExp, also known as Rich, Remote_Explorer, IE403R.SYS, RICHS at http://www.datafellows.com/v-descs/rich.htm Microsoft Security Advisor "Information on the 'Remote Explorer' or 'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp - - ------------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. [ End ISS Security Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Internet Security Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-014: IBM AIX automountd Vulnerability J-015: HP SharedX Denial-of-Service Vulnerability J-016: Cisco IOS DFS Access List Leakage Vulnerabilities J-017: HP-UX vacation Security Vulnerability J-018: HTML Viruses J-019: Intelligent Peripherals Create Security Risk J-020: SGI IRIX fcagent daemon Vulnerability J-021: Sun Solaris Vulnerabilities ( dtmail, passwd ) J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command ) J-023: Cisco IOS Syslog Denial-of-Service Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNqkA3rnzJzdsy3QZAQEbjwP9GfzrF4OkDXbt5QknE+WtWFnueW6o1JZd 8bANQEWI3Gcs68SPsnfkGLyp0MZUo1TbwjoPLdUqQ/bLXESLs2je3oMkg66qBGjW k9q7lU73ZyVkDzZSAD1diZbNSGFRY3h4N1aLtKpigyeSIuWQV7dYOkmAzJmsC+y8 1KUnQDgGQrQ= =WcpX -----END PGP SIGNATURE-----