advertising information

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

MCI WorldCom network virus may be inside job

Telecom giant calls in Network Associates' emergency response team to stop virus from spreading.

December 22, 1998
Web posted at: 4:10 PM EST

by Ellen Messmer

From...

(IDG) -- A new strain of computer virus that attacked MCI WorldCom's internal business network of NT servers may have been started by a disgruntled employee, MCI WorldCom has acknowledged.

The company, which is in the midst of layoffs, said they are investigating the possibility of an inside job. The strain, which is believed to be the first NT-hosted virus, was first detected last Thursday. It corrupts files and encrypts data, making them unreadable.

MCI WorldCom spokesman Jim Monroe, who declined to offer much detail about the virus attack, claimed that it "has had no serious impact on MCI's ability to deliver service to its customers." However, Network Associates, whose antivirus emergency response team was called in to help MCI WorldCom with the incident, said that the virus, dubbed Remote Explorer, wreaked havoc on files in hundreds of desktop computers connected to MCI's large NT-based network.

"We've never seen anything like this in 10 years of doing business," said Peter Watkins, general manager in the security division at Network Associates, about Remote Explorer's modus operandi. Network Associates believes it is the first totally NT-hosted virus that spreads by exploiting a network's features in order to corrupt files or lock them up through encryption.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  Network World Fusion home page
 Free registration required to access Network World
  Free Network World Fusion newsletters
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
    IDG.net's bridges & routers page
  IDG.net's hubs & switches page
    IDG.net's network operating systems page
  IDG.net's network management software page
  IDG.net's personal news page
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
  Subscribe to IDG.net's free daily newsletter for network experts
 News Radio
  Fusion audio primers
  Computerworld Minute
     

Weighing in at 125 kilobytes, the virus acts like a network administrator run amok. In fact, the artfully crafted virus was probably deployed on an NT server within the unlucky organization by an inside employee, say Network Associates experts still studying the case. But it remains unclear whether Remote Explorer can penetrate an organization without inside help or if this malicious code is yet up on hacker Web sites.

"This is a very sophisticated virus written by a knowledgeable person familiar with business processes," explained Vincent Gullotto, manager of the Network Associates antivirus emergency response team. "It's the first NT-hosted virus we've seen, and the virus uses the network to spread into the NT programs."

Remote Explorer, which has to somehow be installed in the NT driver subdirectory, acts like an NT remote management monitor, sits in on sessions, gathers data and impersonates a network administrator, Gullotto said. "The virus emulates a network administrator and gives itself as many rights as it can."

The virus is intrinsically different from any other virus spotted before because it doesn't spread through more traditional means, such as floppies, or through e-mail as macro viruses do.

"If you discover it, it won't let you get rid of it by just shutting it off," Gullotto warned. The virus, formally called 4.03r.sys, carries a Microsoft DLL with it, and if you try to delete it, it simply creates another DLL.

The Remote Explorer virus corrupts HTML and other types of files through data-compression routines or encrypts them so they can't be read. It does not, however, appear to actually delete the files it attacks or to cause other mischief, such as reformatting a hard drive.

The virus was designed with a time routine that causes it to do damage between 3 p.m. and 6 a.m., as well as all day Saturday and Sunday-times when few people may notice it on a binge.

"It corrupts data so it's not usable, but we have developed a cleaner to cope with this," Gullotto noted. Network Associates is updating its VirusScan product with an antidote to counteract the virus's damage. Network Associates believes its antidote will even "make the system immune from it," Gulloto added. The antidote will restore files and decrypt files that were encrypted by Remote Explorer's 608-bit encryption component.

Remote Explorer doesn't appear to infect Unix or spread through Unix, though Network Associates is still running tests on a variety of Unix platforms before it issues a final determination.

Ellen Messmer is a senior editor at Network World.

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

   
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.