In a recent y2k meeting with programmers at work, my dh was informed that a virus exists that can wipe out y2k reprogramming and render the system non-compliant. He's going to try to see if he can get more info on this so I can post it, but my question is, has anyone else heard of this? He said at first he thought it was a rumor, but it may not, since it would be relatively easy to program. Any thoughts?

-- jhollander (hollander@ij.net), December 24, 1998

Answers

I've heard there's is a new computer virus called "Remote Explorer". You can search for current news articles on it at this link:

http://search.excite.com/search.gw?collection=timely&lk=excite&search= %22remote+explorer%22"

-- Kevin (mixesmusic@worldnet.att.net), December 24, 1998.

I heard something about it yesterday, several times on the radio and TV. The virus is one that is most devastating, and it attacks Microsoft software. It was discovered I believe by AT&T.

-- sammy (sammy@aol.com), December 24, 1998.

Here's the first article I saw on this virus. Notice that it's described as the first real case of "cyber-terrorism":

http://www.msnbc.com/news/225718.asp

"Self-replicating virus attacks MCI -- Network attacked by code that mimics human administrator"

-- Kevin (mixesmusic@worldnet.att.net), December 24, 1998.

I do not know of an specific information and this is not meant to totally dismiss the possibility of intentional sabatoge, but...

One of the things that makes Y2K such a overwhelmingly huge issue is that it exists in a multitude of different hardware systems, running hundreds of different operating systens, hidden in code written in a multitude of different computer languages.

But viruses on the other hand are machine/operating system-specific. That is, a virus written to infect a DOS or Windows machine, cannot 'infect' a Unix box or a large IBM mainframe or an embedded system. (With the advent of machine-independent languages such as Java, this fact may eventually change.)

Therefore, while it is possible some knucklehead wrote a virus to corrupt DOS/Windows-based machines, it would most likely pose no larger threat than any of the other thousands of viruses which already exist. Further, such a virus, if it existed, could not infect and multiply on non-DOS/Windows machines.

In short, computer viruses are a problem that we deal with daily. If you've ever had your data trashed by one, you already know how important backups are. They are frustrating, potentially costly (if you haven't backed up that data) and time-consuming. They need to be guarded against (especially as it relates to your business) but currently, cannot spread beyond the single specific operating system they were written for (i.e Windows/DOS/MAC/Unix etc.) At least yet...

-- Arnie Rimmer (arnie_rimmer@usa.net), December 24, 1998.

On the so called "Remote Explorer" virus, you may be interested in the following I received this morning on one of the mailing lists I subscribe to. Russ Cooper runs a list called NT BugTraq. I've been a subscriber for a couple of years and have a high regard for the information I receive from this source:

(for those who wish to avoid the Geekspeak below, the basic premise is that the threat from this "Remote Explorer" virus has been overblown)

Sender:       Windows NT BugTraq Mailing List 

From:         Russ 
Subject:      Re: Alert: Remote Explorer
To:           NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM



The hyperbole that is oozing out of some corporation's marketing and 
PR
wings is getting pretty hard to take.



Some vendors, however, are doing a good job of reporting about Remote
Explorer. An example of this can be seen at;



http://www.avp.com/about/press/122398/body_122398.html



Let me also pass along some other interesting footnotes.



- I have been contacted by Intel, Panda Software, Symantec, and other
private virus researchers hoping to get copies of the virus. NAI did 
not
make the virus available to the anti-virus community until late this
afternoon. A source told me that Microsoft were told they had to sign 
a
non-disclosure agreement with NAI in order to get a copy of it
themselves.



- The claim that other sites have been infected is tenuous at best. My
investigations of the originating post to usenet from wacko@kdi.com on
12/20 at 12:28EDT indicates that it was, in fact, posted by an MCI
employee. MCI originally, and understandably, did not want their name
associated with this publicly. KDI.com is an ISP in the Austin, Texas
area and could not, by any stretch of the imagination, be seen as an
"attacked site".



- NAI's stock rose by $6/share on Monday, and some analysts are
attributing that rise to the announcement they made about Remote
Explorer. I've had discussions with some insiders about the 
possibility
that the rise was due to rumors of Cisco buying NAI, but some firmly
believe this is not the case.



In all likelihood should Remote Explorer ever find its way into the 
wild
it will be as a result of the exchanges of the virus code that have
occurred since its announcement by NAI.



In my opinion, NAI could reasonably be held responsible for any such
exposures. Had NAI responsibly responded to requests for the virus by
legitimate anti-virus vendors and known experts capable of analyzing
what it did, in a timely fashion, the number of exchanges of the code
that have happened "in the wild" would have been dramatically
diminished. Further, had they not over-stated the risks involved with
this issue in as many forums as they did, the fervor with which many
people have sought the virus would not have happened.



It is a plain and simple fact that more information about what Remote
Explorer does, how to detect it, and what can be done to 
prevent/thwart
it has come from the non-NAI folks who have cooperatively discussed 
what
it does with each other.



In my opinion, NAI made this process more difficult, and left the 
entire
NT community at more risk as a result of their choice of actions.



I've been told that many an NT Administrator has been recalled from
their holidays in order to "deal" with the threat NAI (and others) say
exists from Remote Explorer. It is my understanding that MCI was, and
is, convinced that the application never left the building other than 
to
investigators.



Ergo, in my opinion, no such threat actually existed (directly from
Remote Explorer, other than from the distribution of the virus between
concerned and interested parties).



If anyone out there discovers a file called IE403R.SYS, having a
date/time stamp of 12/20/98-1:22:48am (EDT I believe), and a size of
125,440 bytes, please send me a note at Russ.Cooper@rc.on.ca.



If I am wrong and Remote Explorer is "in the wild", I want to be the
first to admit it and inform you that you need to start worrying. I
will, however, do what I can to validate any claims to this effect
before I let such information out to the list. If you feel that such a
position puts your company/org at risk then please inform me also.



As always, NTBugtraq is certainly not the only place such information
can be posted. Hopefully, however, its your source for the most
up-to-date and accurate information (despite my paux faux of
yesterday...;-]). All in the interest of providing the best possible
information for securing your Windows NT environments.



Cheers,
Russ - NTBugtraq moderator




Sender:       Windows NT BugTraq Mailing List 

From:         Russ 
Subject:      Re: Alert: Remote Explorer
To:           NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM



Seems the reverse engineering of the story continues.



CNet has published a story which contains some responses from NAI to
some of the claims I've made. See;



http://www.news.com/News/Item/0,4,30291,00.html?st.ne.lh..ni



The best quote in the story is from Enrique Salem, VP for the 
antivirus
unit of Symantec, who said (in response to my theory that Remote
Explorer was intended to be a useful virus);



"I definitely believe it was somebody writing a malicious virus," said
Salem. "If you were trying to do something beneficial, you wouldn't 
try
to do all the things it was doing"



I could make all kinds of jokes about this...like "Microsoft NT and
virtually all 3rd party applications for it are now considered a virus
by anti-virus vendors because they try and do so many things..." (I'm
joking, Ok!)



How's about..."until we can figure out a useful task for this code to
do, we'll label it a virus".



Any software company interested in about 14 new product ideas based on
Remote Explorer, please contact me directly at Russ.Cooper@rc.on.ca. 
If
I were the "malicious" person who'd just given away all my ideas via
this virus, I'd be pretty peeved right now.



Gee, was NAI looking for a network update method for their anti-virus
programs?



Cheers,
Russ - NTBugtraq moderator

-- Arnie Rimmer (arnie_rimmer@usa.net), December 24, 1998.

..

-- Arnie Rimmer (Arnie_Rimmer@usa.net), December 24, 1998.

wow , ever thing that a big company may want to leak this out now to then blame there empire comming down on some two bit hacker, sounds like it could happen . To lead first you must have pannic , with out pannic no one will follow you.

MONGO Wag the dog , break with the story deniing it first thaen wait for your turn , control the field from both ends and you will soon win the battle

-- Ron (mongo@earthling.net), December 25, 1998.