This one isn't a hoax. Think ya better take a look. Reckon somebody was
ticked at MCI?
> Self-replicating virus attacks MCI
>
> Network attacked by code that mimics human administrator
> By Jim Kerstetter, PC Week Online
> ZDNN
>
> Dec. 21 - The computer network of MCI Worldcom was broadly attacked
> last week by a new virus that one official called "the first
> legitimate incident of cyber-terrorism" he had ever seen. The virus,
> called Remote Explorer, pretends to be a network administrator and can
> spread without human help. That makes it more dangerous than
> traditional viruses requiring infected e-mail or a floppy disk for
> transmission.
>
> STORY CONTINUES BELOW
>
>
> ADVERTISING ON MSNBC ON MSN
>
>
>
>
>
> SECURITY EXPERTS FROM NETWORK ASSOCIATES Inc. described it as a "new
> era in the virus field ... an entirely new kind of virus."
>
>
> "I don't think it's hyperbole to call this an information time bomb,"
> Hodges said.
>
>
>
>
> Once in place, Remote Explorer wreaks havoc by encrypting files on
> users machines - from programs to text files. These were not
> destroyed, however, and Network Associates says it will soon have a
> fix on its Web site which can restore the encrypted files.
>
>
> The "smart virus" attacks Windows NT-based networks and propagates
> over the local network, said Gene Hodges, a general manager at Network
> Associates in Santa Clara, Calif.
>
>
> Remote Explorer goes by the file name IE403r.sys and utilizes NT's
> remote management tools to act like a human network administrator. It
> then orders copies of itself around the network. Once on a
> workstation, it loads a process into Task Manager.
>
>
> "To someone not suspecting this, you wouldn't notice Remote Explorer
> just sitting as a service," said Vincent Gullotto of Network
> Associates. "If you do discover it, you can't close it down."
>
>
> The virus had been running for at least a week before detection, the
> company said.
>
>
> It was unclear whether the virus was downloaded from the Internet or
> planted on a server internally. Because part of the source code of the
> virus was encrypted, it will be difficult to determine the motivation
> of its author. Files encrypted by the virus were apparently chosen at
> random.
>
>
> But a spokesman for Computer Associates said the program was too
> sophisticated to be the work of indiscriminate pranksters.
>
>
> "These guys were very smart," Hodges said. The company estimates the
> program took 200 hours to write. "They had a good enough idea of where
> to put it in order to make it spread very quickly."
>
>
>
> The virus compresses the executable files of servers and workstations
> that it encounters, rendering them unusable. It also encrypts .DOC or
> .XLF files.
>
>
> The virus compresses the executable files of servers and workstations
> that it encounters, rendering them unusable. It also encrypts .DOC or
> .XLF files with a cipher that researchers still have not identified,
> making it impossible to gain access to those files, Hodges said.
>
>
> "Clearly, we don't know who developed this virus," he said. "But it's
> clear as to how it was first planted and how it spreads and that this
> person was very knowledgeable of network administration features and
> planned for this virus to cause serious damage."
>
>
>
> It cannot propagate in a Unix or NetWare-based network.
>
>
>
>
> The virus itself, which is written in C and also partly encrypted, is
> a savvy piece of programming, Hodges said. It logs itself in through
> domain administrative controls and then copies itself over the
> network, attacking other servers and even workstations that access
> those servers. It can use any link that can identify NT resources. It
> cannot propagate in a Unix or NetWare-based network.
>
>
> It is also huge by virus standards at 120KB. Discovered Thursday, it
> was operating on a timing mechanism so that it propagated faster
> between 3 p.m. and 6 a.m. -- hours when network administration
> staffing is typically lower at the infected company. The company
> severed its WAN connections in order to isolate the problem.
>
>
> "It's clear that the virus writer has a good Unix and NT background,"
> Hodges said.
>
>
> Researchers at Network Associates say they have broken the compression
> algorithm and will post a fixing technique that is specific to Network
> Associates software by early this afternoon. Peter Watkins, general
> manager, Network Security Division, said the virus did not destroy any
> data -- the fix will be able to restore infected, encrypted files.
>
>
> A detector for the "smart virus" has already been posted.
>
>
> Hodges said the company is working with Microsoft Corp., has also been
> in touch with other anti-virus groups and is developing a formal
> warning. "I don't think it's hyperbole to call this an information
> time bomb," Hodges said.
>
>
> MSNBC's Bob Sullivan contributed to this report.
>
>
> © 1998 ZDNet. All rights reserved. Reproduction in whole or in part in
> any form or medium without express written permission of ZDNet is
> prohibited.
