CERT downplays virus attack

CERT, the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh says the incident remains the only reported case of infection, which is unusual with computer viruses. CERT reports the infestation hit 50 Windows NT servers.

CERT by policy does not name victims of security incidents, but MCI WorldCom has confirmed to CNET News.com that its network was infected last week.

MCI spokesman Jim Monroe said the virus has been cleaned from the network but he would not confirm CERT's report on the scale of the infection. He reiterated that MCI's earlier statements that operations and customers were not disrupted.

The Remote Explorer or "RICHS" virus, which some researchers describe as a "worm" because of the way it propagates itself over corporate networks, attacks Windows NT networks, servers, and workstations.

"The ability to install itself as [an NT] service probably means that Remote Explorer can propagate somewhat faster than other viruses," according to the CERT bulletin.

Microsoft has posted information on its Web site about how to determine if a network is infected. .

While some are downplaying the incident, one industry analyst thinks it serves as a wake-up call for what he expects to be dangerous years in 1999 and 2000 for viruses and other malicious code.

"A little hype every once in a while, regardless of whether it's deserved or not, is a good thing. Basically this will shake up users and make them consider if they've updated their antivirus files anytime recently," said Chris Christiansen of International Data Corporation.

He also thinks 1999 and 2000 will be more dangerous years for computer viruses and other malicious code.

"This virus is more malicious than mischievous--people are using it for finely honed attacks, not for boasting on the Internet," he added

Network Associates, which announced the new virus Monday, said it had no new reports of Remote Explorer infestations. It has posted software on its site for customers to download to check whether they have the antivirus. Patches to cleanse the virus and immunized are due in beta versions last night.

Symantec said late today that it has received code for the complex virus and will make software to detect it available tonight. Software to repair the virus will be available next week, said Symantec's Motoaki Yamamura.

"In many ways, it is a very traditional virus," said Shawn Hernan, a member of CERT's technical staff, At 120K, Remote Explorer is relatively large for a virus, he said, an indication that it was created by relatively sophisticated programmers.

Users of the workstation version of Windows NT can avoid spreading the virus by logging on as a user, rather than an administrator, Microsoft's Jason Garms said yesterday, advice that is picked up in CERT's bulletin today. NT allows users to operate in either mode.

Although no other infestations have been reported, detection tools are just becoming available, so network managers may yet discover in coming days that Remote Explorer has appeared elsewhere.

Hernan said the origin of the virus, how it was introduced onto the company's network, and other details about the infection are not yet known.

CERT's bulletin also describes how to identify machines infected by the virus, and it repeats standard advice on avoiding viruses: Install, update, and use maintain anti-virus software; avoid running software from unknown or untrusted sources; make backups of network data periodically; and educate users about antivirus policies.

For Remote Explorer specifically, CERT suggests logging in with administrative privileges only when necessary, which can prevent the virus from spreading. Don't do ordinary tasks with administrative privileges, and log in as a domain administrator only from trusted workstations known to be free of the virus, CERT advises.

"That doesn't guarantee you won't be infected, but it maximizes your chances of surviving the impact," Hernan said.