Some time ago a new virus was discovered: Remote Explorer! It is said to be the most intelligent virus ever found. To begin, we highly recommend you to download the Network Associates Fix/Detection updates for any licensed Network Associates software you may have. If you do not have licensed Network Associates anti virus software, but other anti virus software, we recommend you visit the site of your anti virus software company, or contact them for an update of your software, if available.
Remote Explorer's primary target is Windows NT Server and Windows NT Workstation, but Network Associates\' homepage about Remote Explorer also shows some information about Windows 95/98 infections, however, we do not know yet what Remote Explorer can do on a Windows 95/98 PC, besides that from there, if connected to a LAN/WAN it can load itself onto the NT Server.As described before, Remote Explorer loads itself onto a Windows NT Server of a network (LAN/WAN), and from there encrypts documents and files/applications. It is memory resident and encrypts EXE, TXT and HTML files. It spreads through both LAN (Local Area Network) and WAN (Wide Area Network) environments. The virus seems to be highly intelligent, since it hides itself by "naming itself" to an existing file.
The virus spreads without user intervention and is spread by the "traditional" ways viruses spread: Email attachments, downloads, disks etc. The virus file size is about 125 KiloBytes, and the virus was written in the "C" programming language. The virus is memory resident, which makes removal difficult. It is said to be using a DLL, but when this DLL is deleted, the virus will make another copy.A possible way to detect if a system is infected, is for system administrators to open the Services appletin the Windows NT control panel. When "Remote Explorer" is listed there as a service, the system is infected.
A second way to detect if a system is infected, is to run TASKMGR.EXE through the start menu. When you are viewing the processes tab, and IE403R.SYS or TASKMGR.SYS (not EXE!) are listed as processes, the system is infected.When the virus infects an application, it renames itself to that application and everytime that application is started the virus is relaunched. Another indication that the virus is highly intelligent, is that it can "impersonate" administrators, to break through security.
Currently, we do not have any information on how the virus can be removed. Once we have this information we'll let you know on this page. We can't say it enough, but we really recommend you to keep an eye on the homepage of your anti virus software company, for the latest and up-to-date information and possible updates for your anti virus software.Other pages for information:
(Article written by Marcel P. Smits in 1999)