Remote Explorer Virus Less Threatening Than Suspected

Espoo, Finland, December 30, 1998 -- A few days ago, computer users were frightened by a global threat in the form of a new terrible virus called Remote Explorer, alias Rich, IE403R.SYS, or RICHS.

"It seems that the initial threat was exaggerated," comments Mikko Hypponen, Manager of Anti-Virus Research at Data Fellows Group. "Remote Explorer is the first Windows NT virus that stays active in memory. It is quite complex. However, this virus does not hook NT events; does not use network protocols; does not steal passwords; does not sniff network traffic; and does not spread over the Internet by itself. There is in fact very little revolutionary in this virus - it is not even the first Windows NT virus," Mr Hypponen continues.

Win32/RemExp stays active in the memory as a Windows NT service and infects EXE files. It does not spread on machines running Windows 95 or any other operating system. It activates by encrypting files, making them unusable. It can also hide certain error messages, thereby attempting to make itself transparent.

The information about the new virus came from Network Associates International (former McAfee). However, no other computer antivirus researcher in the world had a sample of the virus, nor was NAI able to provide one. Normally, antivirus developers cooperate to stop the most dangerous viruses.

Says Data Fellows’ virus expert Sami Reijonen, "The virus cannot spread from one company to another by itself. The virus uses Windows NT LANs to spread. It does not spread by itself over a WAN to other companies. Naturally, the virus may be carried to another location by e-mail, floppies etc., but this has not happened yet. This seems to be an isolated incident."

Sami Reijonen continues, "Currently the virus is known to have been found in only one company. That company is now disinfected. The company’s representative said that in the end it didn't harm their services. No customer data was in danger at any time. I don’t think there is a big concern for others. If Remote Explorer would be in wide distribution, then there would be real concern."

There are many viruses in the wild today that are more dangerous than Remote Explorer. They are currently spreading in thousands of corporations and doing a real damage. Remote Explorer is not doing this. Remote Explorer is no more of a cause for concern than any other virus.

F-Secure Anti-Virus has been able to protect against Remote Explorer since December 24 - the virus was analysed and detection was added in less than a day after finally receiving a sample of the virus for research.