From xforce@iss.net Wed Jan 6 16:15:06 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Wed, 6 Jan 1999 15:05:48 -0500 (EST) Subject: ISSalert: ISS Vulnerability Alert: Remote Explorer -----BEGIN PGP SIGNED MESSAGE----- ISS Vulnerability Alert January 6, 1999 Remote Explorer Synopsis: Remote Explorer is an application that runs on Microsoft Windows NT(tm) systems and is capable of behaving as either a virus or a worm. The virus has only been found on limited portions of one corporate network. At this time, there are no confirmed reports of Remote Explorer being found on any other networks. Remote Explorer can be detected using sc.exe from the Resource Kit and tools that ship with Windows NT. It can also be detected with Internet Security System's (ISS) Internet Scanner(tm) for Windows NT security assessment software. Several anti-virus vendors currently ship software that will remove the virus from a system. Description: Remote Explorer is capable of running both as an executable and as a Windows NT service. When present in executable form, the virus will store the host executable as a resource, along with a copy of PSAPI.DLL. Resources are how a Windows executable stores icons, dialogs, and other information that might be needed. When the virus executes, it first attempts to install itself as a service, and copies itself to ie403.sys. Ie403.sys is typically found in %systemroot%\system32\drivers and %systemroot is normally c:\winnt. If the user who invokes the virus is not an administrator, the virus cannot be installed as a service. It will then copy the host executable to a temporary file and start the application. As a result, applications might not behave normally. When the virus is running as a service, it will check for a logon every 10 minutes. If a user has logged on, it will acquire their process token (or user credentials), copy itself to taskmgr.sys, and start that process using the credentials of that user. It will then search the disk for executables which are not in the %systemroot% or C:\Program Files trees, and will then infect those files. This is accomplished by compressing the files using the same algorithm as gzip and storing the host, as a resource, into a copy of the virus. Remote Explorer then sets the file attributes (access times, etc.) of the virus to that of the host file, and replaces the host file. If the virus has been invoked by the service, it can also access any network shares available to the user that the process is impersonating. There are conflicting reports as to whether the virus compresses documents on an infected computer. If so, the compression should be reversible. The virus also lays dormant during normal working hours, and appears to only become active during the hours of 9PM to 6AM, and all hours during weekends. It is also apparently quite buggy, and takes measures to clean up any errors that may occur by erasing Dr. Watson logs and closing any error windows that might occur because of the virus' processes. The virus has been reported as an entirely new class, and with respect to using Windows NT services, that is true. However, most of its mechanisms follow normal viral behavior. The choice to use Windows NT services makes it relatively easy to detect. This virus does not exploit any security weaknesses in Windows NT, and requires an administrator to run a Trojan executable in order for it to be installed as a service. Initial reports were that several thousand corporate machines were infected, severely disrupting that company's network operations. However, CERT(R) reports that 50 machines were infected. Contacts within the affected company confirm that the number of infected machines was somewhat less than 50, and that the disruption was confined to a test network. There have been no confirmed reports of the virus existing outside of the original reporting site, with the exception of copies obtained by virus researchers. There are indications that the original virus may have been installed by a disgruntled employee. Recommendations: Any tool that is capable of enumerating Windows NT services can find the virus if it is present as a service. Server Manager, which ships with Windows NT Server and the Windows NT Resource Kit, can be used to find the service: 1. Select the host. 2. From the Computer menu, choose Services. The Services window appears. 3. From the Services window, determine if "Remote Explorer" is running. 4. If Remote Explorer is running, select it. 5. Choose Startup and set the Startup Type to Disabled. 6. Click OK to disable the service. 7. Click the Stop button to halt the service. Click Yes to confirm. Alternately, sc.exe from the Windows NT Resource Kit can be used to both detect and stop the virus. See the documentation on sc for details. ISS Internet Scanner for Windows NT can also be used to detect the virus, and has the advantage of only requiring user-level access to the host (the standard tools require administrator access): 1. Load a scan session. 2. From the Policy menu, choose Edit. 3. Select the NT Services tab, then verify that the "Report Unknown Services" check is enabled. If Remote Explorer is present, it will be reported on screen as "Unknown NT Service - Remote Explorer". Scanning can effectively and quickly check large numbers of hosts. If possible, remotely disable the Remote Explorer service and use an anti-virus tool of your choice to make sure that all infected executables are cleaned. Credits: Information in this report was provided by Vesselin Bontchev of F-Prot, Bill Sobel of Symantec, Russ Cooper (moderator of NTBUGTRAQ), Microsoft, as well as an investigation by ISS' X-Force. We also thank Microsoft for providing assistance in our investigation. For more information: CERT(R) Incident Note IN-98-07 "Windows NT 'Remote Explorer' Virus" at http://www.cert.org/incident_notes/IN-98-07.html Central Command Antivirus Center "Antiviral Toolkit Pro (AVP)" at http://www.avp.com (free detector-cleaner) Data Fellows Computer Virus Information Pages for RemExp, also known as Rich, Remote_Explorer, IE403R.SYS, RICHS at http://www.datafellows.com/v-descs/rich.htm Microsoft Security Advisor "Information on the 'Remote Explorer' or 'RICHS' Virus" at http://www.microsoft.com/security/bulletins/remote.asp __________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNpO+yjRfJiV99eG9AQH5cgQAss5q0Lx41v3HS9q1ve9VE8pVv8xBkhD9 jmo/eZ7SItn6v2CBHnxHcLmSx7UtUUfRZFMyANi7oCQytVMdW7duaKOKsbqMqfJq 31Zmcmtew5zjluYZTCXt/tTaVpqCeKgWYK22Vo3EHQehqej+5zpk99ZOe48ThM1u kaYFxy0rJP4= =FM/u -----END PGP SIGNATURE-----