Network Associates Inc. (NAI) in late December warned its customers and users of an extremely powerful and dangerous virus that affects Windows NT systems, which was detected in MCI WorldCom's computers.
Known as Remote Explorer, the virus contains 120K bytes of code written in C and is larger than most viruses. It compresses executable files and encrypts .doc and .xlf files, rendering them unusable.
The virus itself is also encrypted, hampering its easy classification and removal.
Upon infection, Remote Explorer will take over and replace the taskmgr.sys file name, and it will also create a file called ie4o3r.sys.
Following the subversion of the files, the virus will check the network neighbourhood and infect other NT servers and workstations. In this way, the virus automatically replicates and spreads itself without any user interaction.
NAI and Microsoft as of late December were working on a fix for the virus, and the companies were expected to provide a stand-alone utility to detect and clean it.
Although Unix- and NetWare-based networks are not affected by the virus, they can act as carriers to spread the virus to other NT systems, according to NAI officials.
NAI recommends that users go to their control panels and check "services." If a file titled "Remote Explorer" is listed, the system is infected and should be removed from the network. Infected files will reinstall even if deleted, according to the company.
The virus is also time-sensitive, NAI said, as it will propagate itself mostly during 3 p.m. to 6 a.m. and on the weekends, when IT managers are least likely to be monitoring systems.
Although the virus has been found at only one location, the virulent nature of the program virtually negates the possibility that it has not spread beyond the original location, according to officials at NAI.
The Remote Explorer virus uses a custom 608-bit encryption algorithm to conceal random documents.