NAI tackles new NT virus that plays admin

Network Associates (NAI) is warning companies this week about a new type of virus discovered last week that propagates itself in Windows NT networks, compressing program files so they won't execute and encrypting data files so they can't be accessed.

NAI has posted to its web site at a detector program that will help companies search their systems for the virus, said Peter Watkins, general manager of NAI's network security division. In addition the company has also posted a cleaner program that will allow companies to restore their files to their original state and immunise their systems against infection and re-infection, Watkins said.

The virus, dubbed Remote Explorer, was first detected in a network of MCI WorldCom, said Jim Monroe, an MCI WorldCom spokesman. "We were able to detect and contain it quickly so there was no effect on customers or other operations," he said, declining to elaborate on specifics of the virus attack.

NAI said the virus isn't typical in that it uses the NT network to propagate itself and spread to other systems throughout the network.

"It uses NT remote management technologies and gives itself permission by emulating the network administrator and allows itself to travel without human interaction," as opposed to most viruses, which are distributed via email or floppy disks, said Vincent Gullotto, manager of NAI Labs, in a conference call. "It's the first NT-hosted virus we've seen," he added.

The virus installs itself on either an NT server or NT workstation, adopting the name ie403r.sys or remote explorer and carries a DLL (dynamic link library) that helps it spread, Gullotto said.

Unlike other viruses that delete data and reformat or corrupt hard drives, this new virus simply corrupts and renders data unusable by compressing executables and encrypting data files, he said.

The virus is timed to expedite its infection and spreading activities between the hours of 3 p.m. and 6 a.m. Monday through Friday and all day on Saturday and Sunday, times when network administrators are less likely to be watching their networks, said Gullotto.

NAI's products now have a fix to the virus in the form of a .dat file update that is downloadable from its Web site, he said. The cleaner utility is a separate program, but it will eventually be included in future product releases, he added.

At 125K-bytes in size, the virus is fairly large and was written in C, according to Gullotto. It doesn't spread on Unix systems, nor does it spread on systems running the Digital Equipment Corp. Alpha processor, he said. It could be sent via email, but it would need to be run or saved on an NT system to propagate.

The virus apparently only operates on NT systems, although Unix and other operating systems can serve as carriers of the virus that do not allow the virus to propagate on their networks, NAI said.

Jason Garmes, Windows NT security product manager at Microsoft, said the virus only runs on Intel x86 class chips, including Pentiums, and on NT 4.0. It also needs human interaction to get started, he said. Once it gets into a computer, it needs to be run as an executable and can only spread as far as the user of the machine has authorisation in the network, he said. However, it spreads quickly once a network administrator logs on, stealing the administrator's credentials to travel throughout the network, he said.

People can send suspect files to NAI for diagnosis via email at or

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about IntelMCIMCI WorldComMicrosoftNAINT SecurityReFormatWorldCom

Show Comments