Additional Comments: 
This is NOT a virus but a Trojan Horse program that may jeopardize your system's security. If a firewall is being used, your system should remain secured. Delete this file and its Win95 registry entry.

McAfee Online : Support : Virus Information Library 
Virus Name 
Back Orifice 

Date Added 
11/24/98 1:43:00 PM 

Virus Characteristics 
This is a software for remote computer control. It consists of two components - a server program and a client program. There are two types of client - command line driven and GUI. When the server program is run on a Windows95/98 machine, it copies itself to the local disk under the name " .exe" (first character is space, size is 124928 bytes) and installes a reference to that file in the registry so that it is run every time the machine restarts. The program hides its own presense - it is not visible as a task although it is running permanently in the background awaiting for commands comming from the client through the network. After the server program is installed on a computer, the person controlling the client has remote control over the machine running the server program. This requires both machines to be connected to the Internet. This control includes recording the keystrokes pressed, restarting or hanging the machine, running, accessing, modifying and transferring files. It can also transmit screenshots. The Orifice software is functionally very similar to Netbus software of the same kind. There are also many commercial programs for remote control (like Carbon Copy, SMS, PC-Anywhere) and the only substantial difference is that Orifice software tries to conceal its presence when active. The software also has a program to reconfigure the server application. Filename, TCP/IP port, registry key, password for client-server data exchange and additional DLL can be configured. 
 

If a user with administrator privileges executes an infected program, the virus installs itself as a service called "Remote Explorer". The virus-installed service resides on the infected system as the file "IE403R.SYS" in the "\WinNT\System32\drivers" folder. On weekdays between 6AM and 3PM, the virus sets its thread priority to the lowest setting. On weekdays between 3PM and 6AM and on weekends, the virus sets its thread priority to one step above the lowest setting. Thus the virus becomes more active during "off-work" hours. This service also creates a process named TASKMGR.SYS every 10 minutes or so. 

The virus can infect files on attached network drive(s) over a Win-NT network provided another WinNT machine, with an identical admin-user log on to it, log on to the infected WinNT machine where the viral-service is running. When activated, the infection routine picks a directory at random on the shared drive(s) on one of the attached network drives. It proceeds to infect the EXE files in the chosen directory, and except for files with the extension .DLL or .TMP, it encrypts the remaining files in the directory. In infecting EXE files, the virus does not check if the file is Win32 or not; thus, some DOS EXE will get infected too. Since an infected EXE file is over 150K larger than the uninfected file, the infection is obvious. 

When infecting a Win32 EXE file (host), the virus creates a viral Win32 EXE file to replace the host. It adds the host's icon(s) into the infected file's ICON resource section, and it adds the GZIP-compressed host program into the infected file's RCDATA resource section. The infected file also carries a GZIP-compressed of PSAPI.DLL and a GZIP-compressed copy of the viral service module (IE403R.SYS) in its RCDATA resource section. The GZIP-compressed host is extracted into a temporary directory when an infected file is executed; the virus passes control to the extracted host after it runs its viral code. 

In the other Windows platforms, the virus does not work. In Windows 95, executing an infected file will give an error message about a missing DLL export. In Windows 98, executing an infected file will execute the host file but does not install the NT-specific viral service. 

Payload: 
The virus encrypts other files, except DLL and TMP files, in a directory that it chooses to infect. The encrypted file is GZIP-compressed and encrypted with a custom encryption. 

Repair Notes: 
 

IE403R.SYS and TASKMGR.SYS need to be deleted. You can remove the "Remote Explorer" service by rebooting to DOS and deleting IE403R.SYS from DOS. 

IE403R.SYS is in SYSTEM32\DRIVERS subdirectory of WinNT directory. TASKMGR.SYS is in WinNT directory. 

You can also download the stand-alone REREMOVE tool from SARC download web site to remove the virus-installed service and to inoculate the system. 

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage: 
      http://www.symantec.com/avcenter/download.html

Write-up by: Raul Elnitiarta and Darren Chi 
December 28, 1998 

This info last updated 12/30/98 

Discovered at customer site on December 17, 1998. 
Primarily targets Microsoft Windows NT Servers and Workstation systems. 
The virus is memory resident, encrypts EXE, TXT, and HTML files. 
Spreads through a LAN/WAN environment. 

Indications you are hosting the virus: 

Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected. 
Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected. 
Virus Characteristics 

Remote Explorer – the most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate. 

It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable. 
The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process. 
Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms. 
Can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable. 
It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can’t infect. 
It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus. 
Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code. 
It goes Memory Resident. A utility called RESCAN.EXE is available as RESCAN.ZIP from http://beta.nai.com/public/stand_alone. Thus the infected system can be cleaned without powering down when using RESCAN.EXE. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE. 
It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy. 
The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday. 
The virus has no payload. 
The virus also has some interaction with the Dr. Watson program. Importance of this interaction is still under investigation. 
RESCAN.EXE can remove the encryption from the data files or decompress the infected files. RESCAN.EXE can remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables. Obtain RESCAN.ZIP from http://beta.nai.com/public/stand_alone. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE. 
 

Products available to users for protection against the "Remote Explorer" infection 

Virus signature updates are available for version 4.x , version 3.x and version 7.x engines. These signature updates DETECTION but do not clean/remove Remote Explorer. This will allow you to quarantine infected EXE and data files. 

The first 4.x engine products for VirusScan and NetShield NT have also just been released. Links are included to these products for reference. If you have already installed these products there is no reason to re-install. If you have not and are marshalling your network administrators to protect against this threat, we encourage you to move to this version.