MCI WorldCom network virus may be inside job

Telecom giant calls in Network Associates' emergency reponse team to stop virus from spreading.

By Ellen Messmer
Network World Fusion, 12/22/98

A new strain of computer virus that attacked MCI WorldCom's internal business network of NT servers may have been started by a disgruntled employee, MCI WorldCom has acknowledged.

The company, which is in the midst of layoffs, said they are investigating the possibility of an inside job. The strain, which is believed to be the first NT-hosted virus, was first detected last Thursday. It corrupts files and encrypts data, making them unreadable.

MCI WorldCom spokesman Jim Monroe, who declined to offer much detail about the virus attack, claimed that it "has had no serious impact on MCI's ability to deliver service to its customers." However, Network Associates, whose antivirus emergency response team was called in to help MCI WorldCom with the incident, said that the virus, dubbed Remote Explorer, wreaked havoc on files in hundreds of desktop computers connected to MCI's large NT-based network.

"We've never seen anything like this in 10 years of doing business," said Peter Watkins, general manager in the security division at Network Associates, about Remote Explorer's modus operandi. Network Associates believes it is the first totally NT-hosted virus that spreads by exploiting a network's features in order to corrupt files or lock them up through encryption.

Weighing in at 125K bytes, the virus acts like a network administrator run amok. In fact, the artfully-crafted virus was probably deployed on an NT server within the unlucky organization by an inside employee, say Network Associates experts still studying the case. But it remains unclear whether Remote Explorer can penetrate an organization without inside help or if this malicious code is yet up on hacker Web sites.

"This is a very sophisticated virus written by a knowledgeable person familiar with business processes," explained Vincent Gullotto, manager of the Network Associates antivirus emergency response team. "It's the first NT-hosted virus we've seen, and the virus uses the network to spread into the NT programs."

Remote Explorer, which has to somehow be installed in the NT driver subdirectory, acts like an NT remote management monitor, sits in on sessions, gathers data and impersonates a network administrator, Gullotto said. "The virus emulates a network administrator and gives itself as many rights as it can."

The virus is intrinsically different from any other virus spotted before because it doesn't spread through more traditional means, such as floppies, or through e-mail as macro viruses do.

"If you discover it, it won't let you get rid of it by just shutting it off," Gullotto warned. The virus, formally called 4.03r.sys, carries a Microsoft DLL with it, and if you try to delete it, it simply creates another DLL.

The Remote Explorer virus corrupts HTML and other types of files through data-compression routines or encrypts them so they can't be read. It does not, however, appear to actually delete the files it attacks or to cause other mischief, such as reformatting a hard drive.

The virus was designed with a time routine that causes it to do damage between 3 p.m. and 6 a.m., as well as all day Saturday and Sunday-times when few people may notice it on a binge.

"It corrupts data so it's not usable, but we have developed a cleaner to cope with this," Gullotto noted. Network Associates is updating its VirusScan product with an antidote to counteract the virus's damage. Network Associates believes its antidote will even "make the system immune from it," Gulloto added. The antidote will restore files and decrypt files that were encrypted by Remote Explorer's 608-bit encryption component.

Remote Explorer doesn't appear to infect Unix or spread through Unix, though Network Associates is still running tests on a variety of Unix platforms before it issues a final determination.