Remote Explorer: McAfee's selling trick or an interesting target?

M$bashing

Remote Explorer is this the virus to study?

The "Remote Explorer" virus runs on Micro$oft Windoze NT servers and affects common programs like Micro$oft Word. It cannot run on Windoze 9x because this virus/trojan runs as a "service", which is only possible if you are running Windoze NT as your op/sys and because Windows 9x lacks the RPC functions that allow it to spread to it in the first place. You can nevertheless have a file in win95 that's infected with the virus but it won't do any damage to your system. Remote Explorer will only affect NT computers.

Users clicking on their Word icon might experience a slight delay, but otherwise would be unable to detect the presence of the virus; meanwhile, the virus is busy corrupting files and spreading to other programs. Micro$oft officials say they're "aware of other viruses that have the same characteristics," and Network Associates says it has developed a Remote Explorer detector and is working on a solution to decode the affected files.

Remote Explorer. Here are the facts I found:
Discovered on December 17, 1998. Probably released by NAI (MacAffee) itself with the complicity of MCI, else heavily used by NAI to promote itself.
Primarily targets Microsoft Windows NT Servers and Workstation systems. The virus is memory resident, encrypts EXE, TXT, and HTML files. Spreads through a LAN/WAN environment.

Indications you are hosting the virus:
Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected. Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.

Virus Characteristics
The most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate like a worm.
It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable.
The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process.
If the DLL is deleted it will make another copy.
Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms.
Can infect any EXE and when doing so uses a compression routine to make the file unusable.
It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect.
It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus.
This large virus has been written in Microsoft Visual C++ and is about 125K.
The original virus code occupies about 14K
GZIP routines - 20K
C run-time libraries - 40K
Other data are occupied by virus/C++ data, resources and so on
The virus has quite an unusual structure: the infected files have code and data segments, as well as three resources that contain compressed executable files.

The first resource contains the standard NT4 PSAPI.DLL that is used by the virus to access processes in the system memory.

The second resource is the original virus code itself (including the same compressed PSAPI.DLL in the resource). This copy of virus code is used as the original data to install the virus into the system and to infect EXE files.

The third resource is the host file that is extracted and decompressed, when the virus needs to run the host program.

System Registry: while installing its SYS driver to the system the virus uses standard NT API calls. That cause the system to register the virus drivers in the system registry - the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer is sowith created.

Temporary files: while compressing/decompressing files the virus needs to create temporary files. It creates them in the Windows temporary directory with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' - digits).

It goes Memory Resident. Thus the infected system must be powered down, and scanned from a "clean state" with a command line scanner (convenient courtesy of NAI itself :-)
Detection and removal are available
The virus has a time routine, which is designed to speed up the search and infection process.
The virus infection, hiding and damage routines do work only in non-working hours: full day on Sunday and Saturday, only from 21:00 till 6:00 on other days. Otherwise the virus sets lowest priority for itself, and "sleeps" for long periods of time. So the virus runs its routine in work-hours, but only in case nobody is accessing the computer for the long time.

Hiding routine is run next to infection routine, and "cleans" virus traces in the system. First of all it looks for the windows with "TASKMGR.SYS, Application Error" and "Dr.Watson for Windows NT" titles and closes them if needs be.
So the virus bypasses the error messages caused by its bugs. The virus then checks if its driver "sleeps" for too long time (more that one hour). In this case the virus kills the service.
The virus also deletes the DRWTSN32.LOG file as well as all "~*" files in the Windows temporary directory.
NAI conveniently provided a program (late 12/21/98) that will removes it from memory without a reboot, removes the virus as a service, cleans and repairs the encrypted data files, and all infected executables.
There are now a couple of things that I must add... this whole story has some tracts of a typical urban legend/scam, made in order to sell NAI products (which are lousy to say the least, btw). Yet some of the descriptions I found seem to have a solid base.
Let's put some order in all this mess:
first of all the Remote Explorer virus seems to be extremely rare. Likelihood of infection seems to me therefore very low.
At this time, only one company has been known to have been infected and I couldn't find the virus on any Internet sites, anti-virus ftps or hacker BBSs (and I know how to search the web)
Es ist sure that McAfee over-hyped the panic for PR purposes. They have always been very good at this.
I don't know if they went so far as to create it themselves (M$ C++? Mmmm... could be)
I doubt that this virus has really escaped 'in the wild', but if it is, and if anyone of my readers gets his hands on a copy of it, we may try to reverse its code.
I have searched the web -until now in vain- and I'll keep trying.
As soon as I catch or get a copy of Remote Explorer it I'll reverse it.
If anyone out there discovers a file called IE403R.SYS, having a date/time stamp of 12/20/98-1:22:48am (EDT I believe), and a size of 125,440 bytes, please send me a copy. I'll publish the code as soon as I have reversed it.
Yet many small things make me believe that this is only a silly McAfee's hype and a marketing trick... have a look at their disgusting banners at http://www.nai.com/...
The hyperbole that is oozing out of some corporation's marketing and PR wings is getting pretty hard to take, and I believe we should begin to retaliate... a reason more to disassemble this virus... as you probably know, each programmer has his 'style' (even in overbloated M$ C++) and it should be possible to understand if really a 'disgruntled employee' at MCI or some of the guys at NAI has concocted this.

Some snippets from the wide web:

Russ, the NTBugtraq moderator): 
 I have been contacted by Intel, Panda Software, Symantec, and other
 private virus researchers hoping to get copies of the virus. NAI did not
 make the virus available to the anti-virus community until late this
 afternoon. A source told me that Microsoft were told they had to sign a
 non-disclosure agreement with NAI in order to get a copy of it
 themselves

ISS Security Advisory: 
 There have been no confirmed reports of the virus existing
 outside of the original reporting site, with the exception of copies
 obtained by virus researchers.  There are indications that the original
 virus may have been installed by a disgruntled employee.

Sounds all pretty fishy from a reverser standpoint, yet some real experts on this field seem to believe that a limited number of copies may indeed have escaped 'in the wild'.
Now, since NAI is clearly the real culprit of this situation and the only responsible of the possible spreading of this virus, and since our interest for this kind of virii in the context of our "Micro$oft bashing" campaign and our reversing capabilities is obvious... our reversing deed would also hit NAI right on their heads... reversing code and at the same time reversing a marketing department trick... nice deed, wouldn't you say? Bye bye McAffee... eh?

So, go forth and catch it, friends NT-administrators!
Pattern files that will detect as clean the virus:
ftp://ftp.intel.com/pub/support/files/outgoing/vp30cs.zip
ftp://ftp.intel.com/pub/support/files/outgoing/up484.zip

Resume
The virus is the first native "memory resident" NT infector, so it might look as some super-virus. Actually the virus was written by some middle-level developer that has access to the NT DeviceDevelopmentKit documentation. The virus does not hook any NT event, does not use any network protocols, does not try to access the passwords, and spread its copy over the global network. Moreover, the ordinary DOS parasitic viruses have the same network spreading abilities like this virus has - they also can infect files on remote shared drives, stays in the system memory, e.t.c.

This is just a standard parasitic virus, but with NT service infection ability. It is not more complex than some other already known Windows viruses are, and definitely not more complex than the well-known BO trojan (BackOrifice) from our CoDC friends...

In conclusion this virus is not a shock at all - it is the long awaited WindowsNT-service virus. Let's catch it and reverse it!

Remember:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer 
For more information:

CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at
http://www.cert.org/incident_notes/IN-98-07.html

Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at
http://www.avp.com (free detector-cleaner)

Data Fellows Computer Virus Information Pages for RemExp, also known as
Rich, Remote_Explorer, IE403R.SYS, RICHS at 
http://www.datafellows.com/v-descs/rich.htm

Microsoft Security Advisor "Information on the 'Remote Explorer' or
'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp