A new virus on the block

There’s a new strain of virus on the scene that threatens to inspire a new batch of network-aware viruses.

The Remote Explorer virus, discovered by Network Associates Inc. in December, is different from other viruses in that it can propagate itself throughout Windows NT networks, rather than being transferred physically via disks or e-mail messages.

“It’s more complex and potentially more harmful than other ones because it can get around on its own,” said Gus Malezis, region director for Network Associates Canada in Unionville, Ont.

The minute a user logs on, the virus gains administrator rights and worms itself through the network. Carey Nachenberg, chief researcher at Symantec Anti-virus Research Center in Santa Monica, Calif., said this is why he dubs the virus “network-aware.”

Malezis said Remote Explorer doesn’t appear to have been created by amateurs. It required a very deep understanding of Microsoft NT technology, as well as extremely complex encryption and compression techniques.

Malezis expects there are therefore at least three individuals involved — one who knows Microsoft technology, one encryption expert and one compression expert.

“All this really points to (is) not just a new class of virus but a new way of infestation — a really co-ordinated effort,” Malezis said.

Another odd thing about it, he said, was that in this case the virus itself did no serious harm. “Which is not what viruses do — viruses do harm,” Malezis said.

That, along with the fact that there were still a few bugs present in the virus detected in December, led Network Associates to believe it may have been a test virus. Malezis said there could have been a series of incremental steps taken in the development of the virus, perhaps starting with the propagation via Microsoft NT technology, testing that, then adding the encryption, then the compression.

Remote Explorer was first discovered after Network Associates had a customer report some unusual traffic going across the network at unexpected times.

While this virus was not too harmful, others based on its structure might be extremely hazardous to networks. It may even become a threat to companies’ network security.

“It could go out there and gain access to the machine itself, collect certain files that could be of interest and ship these out, and the user would not be the wiser,” Malezis said.

To protect yourself, it’s important to download the latest detection and cleansing files and distribute them to the necessary points on the network.

“Keep things current, update on a weekly basis, and that will probably catch at least 95 per cent of these viruses,” he said. Symantec’s Nachenberg added the latest Norton Antivirus has been updated to detect and repair this virus on all platforms.

Malezis also said it’s important to react as soon as you notice anything strange or even slightly different going on in your network, and tell someone in the business of virus detection to check it out.

— Carol Neshevich