                  WinNT.RemoteExplorer Binary Aquisition
                                  By Opic [CodeBreakers]

	As most of you already know WinNT.Remote Explorer is the first NT
native virus, which keeps itself in memory as a system service. It was also
released solely on the MCI network making it available only to the anti-virus 
community...until now. Unfortunately I was only able to aquire a binary of
this virus. It was quite difficult to aquire even this sample, so I hope
it can be of use to you all. It is my opinion/guesstimate that Remex was 
actually written by a micro$oft employee. It was written in VC++ and utilized
SDK's available only to midlevel programmers. Below is AVP's writeup on 
Remote Explorer.

AVP Desc:

This virus infects Windows executable files (PE files). It spreads only under
Windows NT on servers and workstations. The virus is able to spread over the
local network, not only on the local machine. This is the first known 
parasitic virus that stays in the WinNT memory as a system service.

Installation

When an infected EXE file is executed on the system at the first time, the 
virus gets control and runs its installing procedure. It copies itself to the
WinNT System32\Drivers directory with the IE403R.SYS name and runs this copy 
as a system service. The EXE instance of the virus then releases the control.
If an infected EXE file is executed under an already infected system, the 
virus looks for its code in the system, removes it and replaces it with its 
new copy. So the virus seems to be able to upgrade itself with new version.
When the infected driver (the IE403R.SYS file) is executed, the virus stays 
in the system memory as a standard Windows NT service, but does not hook any 
system events. Instead, the virus just delays in "sleeping" loop that is 
interrupted by system timer each ten minutes. The virus then randomly runs 
its infection and hiding routines: in 2 cases from 5 it runs infection, 
otherwise it runs hiding routine.

Infection and Damage

The infection routine scans local and shared remote drives, looks for EXE 
files and infects them. While infecting the virus compresses the target EXE 
file, writes itself to the top of target file (overwrites it), and adds 
compressed data to the end of its code as a PE file resource. To run the host
file when the infected file is run, the virus extracts it from resource to 
the temporary file, executes, and then deletes the file. While compressing 
the virus uses the "deflate" method with GZIP-like data headers.
Depending on the system random counter the virus also corrupts randomly 
selected files on the disk that is being scanned. The virus compresses them 
by using the same compression method and then encrypts with some optimal 
algorithm.
Depending on the system random counter in 1 case out of 20, the virus also 
scans the network drives by using their UNC names and processes them in the 
same way as described above The virus does not affect any files in the 
Windows directory, as well as in the Windows System and temporary directories
and in the "C:\Program Files" folder. The virus also checks the file name 
extension and does not encrypt the .OBJ, .TMP, .DLL files.

Hiding routine

This routine is run next to infection routine, and "cleans" virus traces in 
the system. First of all it looks for the windows with "TASKMGR.SYS - 
Application Error" and "Dr.Watson for Windows NT" titles and closes them. So 
the virus bypasses the error messages caused by its bugs.
The virus then checks if its driver "sleeps" for too long time (more that one
hour). In this case the virus kills the service.The virus also deletes the 
DRWTSN32.LOG file as well as all "~*" files in the Windows temporary 
directory.

Features

When the virus is installing itself into the system, for some time it is 
visible in the TaskManager's process list with the "IE403R.SYS" name. At any 
time it is visible in the ControlPanel/Services as the "Remote Explorer" 
service.
The virus does not work under Windows95/98. Under Windows95 the infected 
files are terminated with a standard error message, under Window98 the virus 
successfully extracts and executes the host file, but does not install itself
into the system.
The virus is able to run on an NT machine only in case the CurrentUser has 
Admin privileges, otherwise the virus fails to install its service in NT 
memory. Despite this, if the computer is already infected, the logging with 
not Admin account will not prevent the virus installed in the memory.
The virus infection, hiding and damage routines do work only in non-working 
hours: full day on Sunday and Saturday, on other days - only from 21:00 till 
6:00 on other days. Otherwise the virus sets lowest priority for itself, and 
"sleeps" for long periods of time. So the virus runs its routine in 
work-hours, but only in case nobody is accessing the computer for the long 
time.The virus has bugs and may work incorrectly. It does not check file 
FORMATS and infects DOS EXE files as well as Windows EXE, for example.

Additional Tech Details

The virus has quite large size - it is written in Microsoft Visual C++ and is
 about 125K. The original virus code occupies about 14K, GZIP routines - 20K,
C run-time libraries - 40K. Other data are occupied by virus/C++ data, 
resources, e.t.c.
The virus has quite an unusual structure: the infected files have code and 
data segments, as well as three resources that contain compressed executable 
files. The first resource contains the standard NT4 PSAPI.DLL that is used by
the virus to access processes in the system memory.
The second resource is the original virus code itself (including the same 
compressed PSAPI.DLL in the resource). This copy of virus code is used as 
the original data to install the virus into the system and to infect EXE 
files.The third resource is the host file that is extracted and decompressed, when 
the virus needs to run the host program.
System Registry: while installing its SYS driver to the system the virus uses
 standard NT API calls. That caused the system to register the virus drivers 
in the system registry - the 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer is 
created. Temporary files: while compressing/decompressing files the virus 
needs to create temporary files. It creates them in the Windows temporary 
directory with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' - 
digits).

Resume
The virus is the first native "memory resident" NT infector, so it might look
 as some super-virus. Actually the virus was written by some middle-level 
developer that has access to the NT DeviceDevelopmentKit documentation.
The virus does not hook any NT event, does not use any network protocols, 
does not try to access the passwords, and spread its copy over the global 
network. Moreover, the ordinary DOS parasitic viruses have the same network 
spreading abilities like this virus has - they also can infect files on 
remote shared drives, stays in the system memory, e.t.c.
This is just a standard parasitic virus, but with NT service infection 
ability. It is not more complex than some other already known Windows 
viruses are, and definitely not more complex than the well-known BO trojan 
(BackOrifice).This virus is not a shock at all - it is long awaited 
WindowsNT-service virus.