Virus hits MCI WorldCom systems

Security firm Network Associates calls the "Remote Explorer" virus an act of "cyberterrorism." But MCI WorldCom says it's no big deal.

3 min read
A new computer virus has attacked telecommunications giant MCI Worldcom in what security firm Network Associates claims is a new method of antivirus attack.

"The attack has been contained, and it was detected early," MCI Worldcom spokesman Jim Monroe said. "It had no impact on our customers or our operations."

He declined to say how widely the virus, called "Remote Explorer," had spread on its network or how many computers had been affected.

The virus, which apparently propagates itself on Windows NT networks, was identified today after being detected Thursday, said Network Associates, which markets the McAfee antivirus software.

Microsoft confirmed that it has been working since Saturday with Network Associates to combat the virus, which it said attacks Windows NT machines running Intel chips only when operated in "administrator" mode.

Remote Explorer compresses program files so they cannot execute and encrypts data files so users cannot access them, Network Associates said. But Microsoft said the fix to the problem recovers lost data and returns machines to their original configuration.

Network Associates expects to post a "detector" for the virus on its Web site within hours and a "cleaner" to combat the virus will be posted later today.

"It has the potential to do more damage to a business than any virus we've ever seen," said Gene Hodges, Network Associates vice president. "This is the first virus we've ever seen that we think has the potential to grind operations to a halt in a major company."

Because it can propagate itself so rapidly, he termed Remote Explorer as the first instance of "cyberterrorism," a broad characterization so far not supported by anything MCI Worldcom has said about the virus.

But Jason Garms, Microsoft group product manager for Windows NT, played down the severity of the virus, saying it is similar to other viruses except in its ability to propagate itself rapidly.

"The best thing customers should be doing to protect themselves is to take part in safe overall computing practice," Garms said, adding that users should consider regularly using antivirus software.

Hodges said the virus steals information from an NT administrator, then uses administrator privileges to spread itself without any person's involvement.

"It just crawls around a network all by itself," said Hodges, who called it a "smart network virus" that cannot propagate itself over the Net but can be transported over the Internet via email or by posting an infected file.

Hodges said the programmer who created Remote Explorer, who has not yet been identified, is knowledgeable about Windows NT as well as Unix systems.

"It's a large virus, 120K compiled, so it was not a trivial programming effort," Hodges said.

The virus has not been seen elsewhere yet but it can be transported not just via NT but also through machines that run Windows 95, Windows 98, Unix file servers for PC files, and Netware.

Network Associates has posted instructions and a patch to detect the Remote Explorer virus and clean up its damage. They require use of Network Associates' antivirus software, but Hodges said companies can download free evaluation copies to use immediately, then add the cleaner file.