Network Associates said Monday it found one of the most sophisticated computer viruses ever discovered.
The company, which sells anti-virus and other security software, said in a teleconference that unlike most viruses, Remote Explorer spreads through corporate networks without user intervention and is designed to exploit applications and files. It initially infects systems through traditional methods -- email attachments, floppy disks, or downloads from the Internet.
The virus was detected Thursday, 17 December, infecting NT-based call centers at MCI WorldCom in Jackson, Mississippi. As of Tuesday morning, Network Associates was still analyzing the code, and was preparing to distribute a sample to other anti-virus vendors.
"It was something that was detected quickly and detained quickly," said MCI spokesman Jim Monroe. "It had no impact on our ability to provide service to our customers."
MCI contained the virus by Tuesday morning and was in the process of purging it from the system, Monroe said.
The virus was written in the C programming language and is about 125 kilobytes in size. System administrators can identify an infected system by opening up the Services applet in the NT Control Panel. If "Remote Explorer" is listed as a service, the system is infected.
"In our 10-year history, seeing some 30,000 viruses, this is much more sophisticated than anything we've seen before," said Peter Watkins, general manager of Network Associates' security division.
Once inside a network, the virus uses the resources it finds on the network to propagate itself. It looks for remote-administration methods and impersonates administrators to break through security procedures. When it infects an application, it renames itself with the application name. Then every time that program is accessed in the future, the virus relaunches itself and starts its process over again.
Remote Explorer also compresses and encrypts files it encounters as it travels around the network, which is how it was detected in the first place. Once those files are encrypted, they are completely inaccessible and unusable.
Vincent Gullotto, manager of Network Associates' AVERT (Anti-Virus Emergency Response Team) Lab, estimated that the virus would have taken about 200 hours to construct. He said Network Associates has tools to contain the virus and is providing troubleshooting advice through its Web site. The company said it will make information available to other vendors and organizations as soon its summary and analysis is completed by late Monday.
The virus is limited to Microsoft Windows NT networks, the company said, and can't replicate itself in Unix or Novell-based systems.
"Our cleaner will minimize the impact of this first appearance, but we're worried about the next one," Watkins said. "You can imagine there might be more malicious payloads than encrypting data files in the future. This definitely ups the ante."
