Remex | |
---|---|
Type | File virus |
Creator | |
Date Discovered | 1998.05.27 |
Place of Origin | |
Source Language | |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 125,000-150,000 bytes |
Reported Costs |
Remex also known as Remote Explorer is the first virus to install itself as a system service. It is also the first virus to be totally dependent on a Windows NT environment to spread. It was also network-capable.
Behavior
Remex must be run with administrator privileges for it to run properly. When it is executed, the virus installs itself as a service named "Remote Explorer". It makes a copy of itself under the name ie403r.sys, located in the "drivers" subfolder of the Windows system folder. On weekdays between 6:00. and 15:00, Remex sets its thread to the lowest priority setting. At all other times, it sets its priority one level higher.
Every 10 minutes it creates the Taskmgr.sys (Taskmgr.exe is a legitimate process, this one is not). There is a 2 in 5 chance it will try to infect files, otherwise it goes back into hiding. If the virus sleeps for over an hour, it kills the its service. It can infect files over a network drive if the computer it is on has the write privileges necessary, assuming a user with administrator privileges is logged on.
Remex chooses a random folder on the target machine and infects all the files there. It only checks if the file is an .exe, not if it is for 32-bit Windows systems, so it may infect DOS executables. The virus compresses the target file using headers similar to Gzip, overwrites top of the file and adds the compressed version of the file to the end of the virus as a file resource. Whenever this file is executed, the compressed original file will be extracted and decompressed, then run from a temporary folder.
With the exception of .dll or .tmp, encrypts all other files in the folder. It also avoids anything in the Windows folder, Program Files folder or temporary folders. It may also encrypt random files on the disk it is infecting.
The virus will try to avoid detection by the user, blocking certain error messages and deleting certain files. It blocks any messages with "TASKMGR.SYS - Application Error" and "Dr.Watson for Windows NT" in the titles. Remex also deletes the file DRWTSN32.LOG and deletes all "~" files in the temporary directory.
Effects
MCI Worldcom (which eventually became a subsidiary of Verizon Wireless) was hit badly by Remex. Hundreds of computers were infected at the company. MCI called in Network Associates to assist them in cleaning up the virus and restoring files. MCI had been laying off large numbers of workers at the time, and suspected the virus had been planted by an employee (or former one).
Network Associates (McAfee) made a big deal about the worm, calling it one of the "most destructive virus ever seen" (though the BIOS-destroying CIH was already out for some time, and this virus's behavior is irritating, but not destructive), "scary" and the work of a pro and cyberterrorist. Network Associates's stock rose 12 percent that day, and 22% before Christmas, adding $1.1 billion to the value of its shares. The company attributed it to the strong market for technology stocks, though conceded the virus may have had some effect. The company's behavior in this incident received a great deal of criticism, particularly the company's decision to call a press conference and wait five days before sending the virus to other researchers, given they are a member of CARO and should have shared it immediately.
The Computer Emergency Response Team however, downplayed the destructiveness of the virus. The incident at MCI Worldcom was the only known instance of the virus in the wild. A member of CERT's technical staff even called the virus "In many ways, it is a very traditional virus". Other observers said it makes a poor weapon for cyberterrorists, as it makes only superficial attempts to hide its presence. They also were skeptical of the claims that it was particularly advanced, saying installing itself as a service was not a new idea, as a lot of software (including antivirus programs) do this, and it is not so much different from DOS programs going TSR (Terminate and Stay Resident).
Variants
Remex has no recognized variants, however researchers noted some similarities to Funlove and Bolzano. Funlove and Bolzano were more successful however, as Remex was restricted to Windows NT.
Sources
Raul Elnitiarta. Symantec, W32.RemoteExplore. 2007.02.13
Matthias Kannengiesser. WinNT.RemEX.
Ellen Messmer. CNN Tech, MCI WorldCom Remote Explorer virus may be inside job. 1998.12.22
Benny Evangelista. The San Francisco Chronicle, Network Associates Says Killer Virus Hit MCI WorldCom. 1998.12.22
Tim Clark. CNet, CERT downplays virus attack. 1998.12.23
Rob Rosenberger. Vmyths, Why does an Internet security firm hold press conferences by phone? 1999.01.04
Hoax du Jour, Remote Explorer of My Eye. 1999.01.03
Peter Szor. Symantec, W32.Funlove.4099. 2007.02.13