Summary

Win32/RemExp - also known as Remote Explorer - is a Windows NT -based virus.

Remote Explorer tries to gain domain administrator or administrator priviledges inside a NT network. Once it does, it infects EXE files on local and remote disks. If it succeeds in infecting files on remote (shared) disks, the virus is able to spread to other NT Servers and NT Workstations inside the network. When those infected files are started on those machines, the virus will replicate further.

Win32/RemExp stays active in the memory as a NT service and infects EXE files. It does not spread on machines running Windows 95 or some other operating system instead of NT. It activates by encrypting files, making them unusable.

This virus has caused one big infection (around 50 servers) in USA but otherwise does not seem to be widespread. This virus will spread quickly inside a single NT-based organization but does not easily spread from one company to another. There is no cause for big concern.

Additional Details

This virus infects Windows executable files (PE files). It spreads only under Windows NT on servers and workstations. The virus is able to spread over the local network, not only on local machine. This is the first known parasitic virus that stays in the WinNT memory as a system service.

 Installation

When an infected EXE file is executed on the system at the first time, the virus gets control and runs its installing procedure. It copies itself to the WinNT System32\Drivers directory with the IE403R.SYS name and runs this copy as a system service. The EXE instance of the virus then releases the control.

If an infected EXE file is executed under already infected system, the virus looks for its code in the system, removes it and replaces with its new copy. So the virus seems to be able to upgrade itself with new version.

When the infected driver (the IE403R.SYS file) is executed, the virus stays in the system memory as a standard Windows NT service, but does not hook any system events. Instead of that the virus just delays in "sleeping" loop that is interrupted by system timer each ten minutes. The virus then randomly runs its infection and hiding routines: in 2 cases from 5 it runs infection, otherwise it runs hiding routine.

 Infection and Damage

The infection routine scans local and shared remote drives, looks for EXE files and infects them. While infecting the virus compresses the target EXE file, writes itself to the top of target file (overwrites it), and adds compressed data to the end of its code as a PE file resource. To run the host file when infected file is run, the virus extracts it from resource to the temporary file, executes, and then deletes the file. While compressing the virus uses the "deflate" method with GZIP-like data headers.

Depending on the system random counter the virus also corrupts randomly selected files on the disk that is being scanned. The virus compresses them by using the same compression method and then encrypts with some optimal algorithm.

The virus depending on the system random counter in 1 case of 20 also scans the network drives by using their UNC names and processes them in the same way as described above.

The virus does not affect any files in the Windows directory, as well as in the Windows System and temporary directories and in the "C:\Program Files" folder. The virus also checks the file name extension and does not encrypt the .OBJ, .TMP, .DLL files.

 Hiding routine

This routine is run next to infection routine, and "cleans" virus traces in the system. First of all it looks for the windows with "TASKMGR.SYS - Application Error" and "Dr.Watson for Windows NT" titles and closes them. So the virus bypasses the error messages caused by its bugs.

The virus then checks its driver "sleeps" for too long time (more that one hour). In this case the virus kills the service.

The virus also deletes the DRWTSN32.LOG file as well as all "~*" files in the Windows temporary directory.

 Features

When the virus is installing itself into the system, for some time it is visible in the TaskManager's process list with the "IE403R.SYS" name. At any time it is visible in the ControlPanel/Services as the "Remote Explorer" service.

The virus does work under Windows95/98. Under Windows95 the infected files are terminated with the standard error message, under Window98 the virus successfully extracts and executes the host file, but does not install itself into the system.

The virus is able to run on NT machine only in case the CurrentUser has Admin privileges, otherwise the virus fails to install its service in NT memory. Despite on this, if the computer is already infected, the logging with not Admin account will not prevent the virus installed in the memory.

The virus infection, hiding and damage routines do work only in non-working hours: full day on Sunday and Saturday, on other days - only from 21:00 till 6:00 on other days. Otherwise the virus sets lowest priority for itself, and "sleeps" for long periods of time. So the virus runs its routine ever in work-hours, but only in case nobody is accessing the computer for the long time.

The virus has bugs and may work incorrectly. It does not check file names and infects DOS EXE files as well as Windows EXE, for example.

 Additional Tech Details

The virus has quite large size - it is written in Microsoft Visual C++ and is about 125K. The original virus code occupies about 14K, GZIP routines - 20K, C run-time libraries - 40K. Other data are occupied by virus/C++ data, resources, e.t.c.

The virus has quite unusual structure: the infected files have code and data segments, as well as three resources that contains compressed executable files. The first recourse contains the standard NT4 PSAPI.DLL that is used by virus to access processes in the system memory.

The second resource is the original virus code itself (including the same compressed PSAPI.DLL in the resource). This copy of virus code is used as the original data to install the virus into the system and to infect EXE files.

The third resource is the host file that is extracted and decompressed, when the virus needs to run the host program.

System Registry: while installing its SYS driver to the system the virus uses the standard NT API calls. That caused the system to register the virus drivers in the system registry - the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer is created.

Temporary files: while compressing/decompressing files the virus needs for temporary ones. It creates them in the Windows temporary directory with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' - digits).

 Resume

The virus is the first native "memory resident" NT infector, so it might look as some super-virus. Actually the virus was written by some middle-level developer that has access to the NT DeviceDevelopmentKit documentation.

The virus does not hook any NT event, does not use any network protocols, does not try to access the passwords, and spread its copy over the global network. Moreover, the ordinary DOS parasitic viruses have the same network spreading abilities like this virus has - they also can infect files on remote shared drives, stays in the system memory, e.t.c.

This is just a standard parasitic virus, but with NT service infection ability. It is not more complex than some other already known Windows viruses are, and definitely not more complex than the well-known BO trojan (BackOrifice).

This virus is not a shock at all - it is long awaited Windows NT service-based virus.

[Mikko Hypponen & Eugene Kaspersky]