A new computer virus has attacked telecommunications giant MCI
Worldcom in what security firm Network Associates claims is a new method of
"The attack has been contained, and it was detected early," MCI Worldcom spokesman Jim
Monroe said. "It had no impact on our customers or our operations."
He declined to say how widely the virus, called "Remote Explorer," had
spread on its network or how many computers had been affected.
The virus, which apparently propagates itself on Windows NT networks, was
identified today after being detected Thursday, said Network Associates, which markets the McAfee
Microsoft confirmed that it has been working since Saturday with Network
Associates to combat the virus, which it said attacks Windows NT machines
running Intel chips only when operated in "administrator" mode.
Remote Explorer compresses program files so they cannot execute and
encrypts data files so users cannot access them, Network Associates said. But Microsoft said
the fix to the problem recovers lost data and returns machines to their
Network Associates expects to post a "detector" for the virus on its Web
site within hours and a "cleaner" to combat the virus will be posted later
"It has the potential to do more damage to a business than any virus we've
ever seen," said Gene Hodges, Network Associates vice president. "This is
the first virus we've ever seen that we think has the potential to grind
operations to a halt in a major company."
Because it can propagate itself so rapidly, he termed Remote Explorer as
the first instance of "cyberterrorism," a broad characterization so far not
supported by anything MCI Worldcom has said about the virus.
But Jason Garms, Microsoft group product manager for Windows NT, played down the severity of the virus, saying it is similar to other viruses except in its ability to propagate itself rapidly.
"The best thing customers should be doing to protect themselves is to take part in safe overall computing practice," Garms said, adding that users should consider regularly using antivirus software.
Hodges said the virus steals information from an NT administrator, then
uses administrator privileges to spread itself without any person's involvement.
"It just crawls around a network all by itself," said Hodges, who called it a "smart network virus" that cannot propagate itself over the Net but can be transported over the Internet via email or by posting an infected file.
Hodges said the programmer who created Remote Explorer, who has not yet
been identified, is knowledgeable about Windows NT as well as Unix systems.
"It's a large virus, 120K compiled, so it was not a trivial programming
effort," Hodges said.
The virus has not been seen elsewhere yet but it can be transported not
just via NT but also through machines that run Windows 95, Windows 98, Unix
file servers for PC files, and Netware.
Network Associates has posted instructions and a patch to detect the Remote Explorer virus and clean up its
damage. They require use of Network Associates' antivirus software, but
Hodges said companies can download free evaluation copies to use
immediately, then add the cleaner file.