WinNT.RemoteExplorer Binary Aquisition By Opic [CodeBreakers] As most of you already know WinNT.Remote Explorer is the first NT native virus, which keeps itself in memory as a system service. It was also released solely on the MCI network making it available only to the anti-virus community...until now. Unfortunately I was only able to aquire a binary of this virus. It was quite difficult to aquire even this sample, so I hope it can be of use to you all. It is my opinion/guesstimate that Remex was actually written by a micro$oft employee. It was written in VC++ and utilized SDK's available only to midlevel programmers. Below is AVP's writeup on Remote Explorer. AVP Desc: This virus infects Windows executable files (PE files). It spreads only under Windows NT on servers and workstations. The virus is able to spread over the local network, not only on the local machine. This is the first known parasitic virus that stays in the WinNT memory as a system service. Installation When an infected EXE file is executed on the system at the first time, the virus gets control and runs its installing procedure. It copies itself to the WinNT System32\Drivers directory with the IE403R.SYS name and runs this copy as a system service. The EXE instance of the virus then releases the control. If an infected EXE file is executed under an already infected system, the virus looks for its code in the system, removes it and replaces it with its new copy. So the virus seems to be able to upgrade itself with new version. When the infected driver (the IE403R.SYS file) is executed, the virus stays in the system memory as a standard Windows NT service, but does not hook any system events. Instead, the virus just delays in "sleeping" loop that is interrupted by system timer each ten minutes. The virus then randomly runs its infection and hiding routines: in 2 cases from 5 it runs infection, otherwise it runs hiding routine. Infection and Damage The infection routine scans local and shared remote drives, looks for EXE files and infects them. While infecting the virus compresses the target EXE file, writes itself to the top of target file (overwrites it), and adds compressed data to the end of its code as a PE file resource. To run the host file when the infected file is run, the virus extracts it from resource to the temporary file, executes, and then deletes the file. While compressing the virus uses the "deflate" method with GZIP-like data headers. Depending on the system random counter the virus also corrupts randomly selected files on the disk that is being scanned. The virus compresses them by using the same compression method and then encrypts with some optimal algorithm. Depending on the system random counter in 1 case out of 20, the virus also scans the network drives by using their UNC names and processes them in the same way as described above The virus does not affect any files in the Windows directory, as well as in the Windows System and temporary directories and in the "C:\Program Files" folder. The virus also checks the file name extension and does not encrypt the .OBJ, .TMP, .DLL files. Hiding routine This routine is run next to infection routine, and "cleans" virus traces in the system. First of all it looks for the windows with "TASKMGR.SYS - Application Error" and "Dr.Watson for Windows NT" titles and closes them. So the virus bypasses the error messages caused by its bugs. The virus then checks if its driver "sleeps" for too long time (more that one hour). In this case the virus kills the service.The virus also deletes the DRWTSN32.LOG file as well as all "~*" files in the Windows temporary directory. Features When the virus is installing itself into the system, for some time it is visible in the TaskManager's process list with the "IE403R.SYS" name. At any time it is visible in the ControlPanel/Services as the "Remote Explorer" service. The virus does not work under Windows95/98. Under Windows95 the infected files are terminated with a standard error message, under Window98 the virus successfully extracts and executes the host file, but does not install itself into the system. The virus is able to run on an NT machine only in case the CurrentUser has Admin privileges, otherwise the virus fails to install its service in NT memory. Despite this, if the computer is already infected, the logging with not Admin account will not prevent the virus installed in the memory. The virus infection, hiding and damage routines do work only in non-working hours: full day on Sunday and Saturday, on other days - only from 21:00 till 6:00 on other days. Otherwise the virus sets lowest priority for itself, and "sleeps" for long periods of time. So the virus runs its routine in work-hours, but only in case nobody is accessing the computer for the long time.The virus has bugs and may work incorrectly. It does not check file FORMATS and infects DOS EXE files as well as Windows EXE, for example. Additional Tech Details The virus has quite large size - it is written in Microsoft Visual C++ and is about 125K. The original virus code occupies about 14K, GZIP routines - 20K, C run-time libraries - 40K. Other data are occupied by virus/C++ data, resources, e.t.c. The virus has quite an unusual structure: the infected files have code and data segments, as well as three resources that contain compressed executable files. The first resource contains the standard NT4 PSAPI.DLL that is used by the virus to access processes in the system memory. The second resource is the original virus code itself (including the same compressed PSAPI.DLL in the resource). This copy of virus code is used as the original data to install the virus into the system and to infect EXE files.The third resource is the host file that is extracted and decompressed, when the virus needs to run the host program. System Registry: while installing its SYS driver to the system the virus uses standard NT API calls. That caused the system to register the virus drivers in the system registry - the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer is created. Temporary files: while compressing/decompressing files the virus needs to create temporary files. It creates them in the Windows temporary directory with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' - digits). Resume The virus is the first native "memory resident" NT infector, so it might look as some super-virus. Actually the virus was written by some middle-level developer that has access to the NT DeviceDevelopmentKit documentation. The virus does not hook any NT event, does not use any network protocols, does not try to access the passwords, and spread its copy over the global network. Moreover, the ordinary DOS parasitic viruses have the same network spreading abilities like this virus has - they also can infect files on remote shared drives, stays in the system memory, e.t.c. This is just a standard parasitic virus, but with NT service infection ability. It is not more complex than some other already known Windows viruses are, and definitely not more complex than the well-known BO trojan (BackOrifice).This virus is not a shock at all - it is long awaited WindowsNT-service virus.