Remote Explorer Threatens Windows NT

When the Remote Explorer virus infected MCI/WorldCom (<A HREF="http://www.mci.com/">www.mci.com</A>) late last year, it gained a reputation as one of the most destructive viruses ever. Because it can spread on its own, with no user interaction whatsoever, analysts and experts agree that Remote Explorer poses a substantial threat to Windows NT networks.

When the Remote Explorer virus infected MCI/WorldCom (www.mci.com) late last year, it gained a reputation as one of the most destructive viruses ever. Because it can spread on its own, with no user interaction whatsoever, analysts and experts agree that Remote Explorer poses a substantial threat to Windows NT networks.

According to Network Associates Inc. (www.nai.com), the company that exposed the virus, as well as competing security companies and industry analysts, Remote Explorer is the harbinger of a new era in viruses because of its size and potential for damage.

"As one of the first viruses to actually strike and cause substantial damage to a company -- even though MCI has been vague about the damage -- the virus shows that NT is as much of a target as we’ve thought all along," says Larry Dietz, director of information security at Current Analysis Inc. (www.currentanalysis.com).

Because Windows NT is used commonly as a Web server or e-mail server, it is susceptible to virus attacks. Still, Remote Explorer, at 120 KB, is not an ordinary virus. Most viruses have much less code and are less damaging.

According to Kent Erickson, director of product management at Mission Critical Software Inc. (www.missioncritical.com), Remote Explorer is more of a rogue application than a virus because it performs functions, even though they are not obvious. "If you’re running inside the OS, you can be as big as you want and you can destroy more of a network. Most viruses are small because there are only nooks and crannies of an OS that they can attack, but Remote Explorer is an app program that lives inside the OS," he says.

Once in the network Remote Explorer infects Windows NT servers by logging in as a Windows NT administrator and installing itself as a Windows NT service. Program files are compressed so they cannot execute, and data files are encrypted so users cannot access them. Perhaps the most damaging aspect of Remote Explorer is its ability to reproduce itself throughout a network.

MCI/WorldCom wouldn’t comment on the virus, except to say the spreading has been stopped and all the infected machines cleaned up. Dietz points out that even if the virus was stopped, Windows NT probably had to be reinstalled on all the infected machines.

"Clearly, this was a sophisticated blast by a sophisticated virus," Dietz says. "The fact that it has its own DLL brings this virus to a programming level we’ve not seen before."

When Network Associates announced the virus and MCI confirmed reports that it was infected, speculation circulated around NTBUGTRAQ that anti-virus vendors exaggerated the damage Remote Explorer is capable of doing to publicize their anti-virus products.

"We live in a very competitive environment, and it’s not exactly unrealistic that companies would try to use a virus like this for publicity reasons, but I think it was right for Network Associates to make Remote Explorer known," says Erickson of Mission Critical, a competitor to Network Associates.

Analysts and industry insiders worry that copycats will try to emulate Remote Explorer. "There are companies that have thousands of NT servers," says Eric Brown, senior analyst, software strategies at Forrester Research (www.forrester.com). "For those administrators, the threat of viruses like Remote Explorer attacking their networks is a nightmare."

Even though Remote Explorer reportedly affects Unix and NetWare also, Windows NT appears to be susceptible to viruses this powerful.

"The main concern is that this is an indication that NT will become an even bigger target for viruses," Dietz says.