This virus infects Windows executable files (PE files). It spreads
only under Windows NT on servers and workstations. The virus is able
to spread over the local network, not only on local machine. This is
the first known parasitic virus that stays in the WinNT memory as a
When an infected EXE file is executed on the system at the first time,
the virus gets control and runs its installing procedure. It copies
itself to the WinNT System32\Drivers directory with the IE403R.SYS
name and runs this copy as a system service. The EXE instance of the
virus then releases the control.
If an infected EXE file is executed under already infected system, the
virus looks for its code in the system, removes it and replaces with
its new copy. So the virus seems to be able to upgrade itself with new
When the infected driver (the IE403R.SYS file) is executed, the virus
stays in the system memory as a standard Windows NT service, but does
not hook any system events. Instead of that the virus just delays in
"sleeping" loop that is interrupted by system timer each ten minutes.
The virus then randomly runs its infection and hiding routines: in 2
cases from 5 it runs infection, otherwise it runs hiding routine.
Infection and Damage
The infection routine scans local and shared remote drives, looks for
EXE files and infects them. While infecting the virus compresses the
target EXE file, writes itself to the top of target file (overwrites
it), and adds compressed data to the end of its code as a PE file
resource. To run the host file when infected file is run, the virus
extracts it from resource to the temporary file, executes, and then
deletes the file. While compressing the virus uses the "deflate"
method with GZIP-like data headers.
Depending on the system random counter the virus also corrupts
randomly selected files on the disk that is being scanned. The virus
compresses them by using the same compression method and then encrypts
with some optimal algorithm.
The virus depending on the system random counter in 1 case of 20 also
scans the network drives by using their UNC names and processes them
in the same way as described above.
The virus does not affect any files in the Windows directory, as well
as in the Windows System and temporary directories and in the
"C:\Program Files" folder. The virus also checks the file name
extension and does not encrypt the .OBJ, .TMP, .DLL files.
This routine is run next to infection routine, and "cleans" virus
traces in the system. First of all it looks for the windows with
"TASKMGR.SYS - Application Error" and "Dr.Watson for Windows NT"
titles and closes them. So the virus bypasses the error messages
caused by its bugs.
The virus then checks its driver "sleeps" for too long time (more that
one hour). In this case the virus kills the service.
The virus also deletes the DRWTSN32.LOG file as well as all "~*" files
in the Windows temporary directory.
When the virus is installing itself into the system, for some time it
is visible in the TaskManager's process list with the "IE403R.SYS"
name. At any time it is visible in the ControlPanel/Services as the
"Remote Explorer" service.
The virus does work under Windows95/98. Under Windows95 the infected
files are terminated with the standard error message, under Window98
the virus successfully extracts and executes the host file, but does
not install itself into the system.
The virus is able to run on NT machine only in case the CurrentUser
has Admin privileges, otherwise the virus fails to install its service
in NT memory. Despite on this, if the computer is already infected,
the logging with not Admin account will not prevent the virus
installed in the memory.
The virus infection, hiding and damage routines do work only in
non-working hours: full day on Sunday and Saturday, on other days -
only from 21:00 till 6:00 on other days. Otherwise the virus sets
lowest priority for itself, and "sleeps" for long periods of time. So
the virus runs its routine ever in work-hours, but only in case nobody
is accessing the computer for the long time.
The virus has bugs and may work incorrectly. It does not check file
names and infects DOS EXE files as well as Windows EXE, for example.
Additional Tech Details
The virus has quite large size - it is written in Microsoft Visual C++
and is about 125K. The original virus code occupies about 14K, GZIP
routines - 20K, C run-time libraries - 40K. Other data are occupied by
virus/C++ data, resources, e.t.c.
The virus has quite unusual structure: the infected files have code
and data segments, as well as three resources that contains compressed
executable files. The first recourse contains the standard NT4
PSAPI.DLL that is used by virus to access processes in the system
The second resource is the original virus code itself (including the
same compressed PSAPI.DLL in the resource). This copy of virus code is
used as the original data to install the virus into the system and to
infect EXE files.
The third resource is the host file that is extracted and
decompressed, when the virus needs to run the host program.
System Registry: while installing its SYS driver to the system the
virus uses the standard NT API calls. That caused the system to
register the virus drivers in the system registry - the
Temporary files: while compressing/decompressing files the virus
needs for temporary ones. It creates them in the Windows temporary
directory with the random names ~xxxdddd.TMP (where 'x' - letters,
'd' - digits).
The virus is the first native "memory resident" NT infector, so it
might look as some super-virus. Actually the virus was written by some
middle-level developer that has access to the NT DeviceDevelopmentKit
The virus does not hook any NT event, does not use any network
protocols, does not try to access the passwords, and spread its copy
over the global network. Moreover, the ordinary DOS parasitic viruses
have the same network spreading abilities like this virus has - they
also can infect files on remote shared drives, stays in the system
This is just a standard parasitic virus, but with NT service infection
ability. It is not more complex than some other already known Windows
viruses are, and definitely not more complex than the well-known BO
This virus is not a shock at all - it is long awaited Windows NT
[Mikko Hypponen & Eugene Kaspersky]