- LONDON - Businesses are being told to be on their guard against the
most dangerous computer virus ever detected.
-
- But it may be too late. The new virus
is the first that can spread through a network unaided and then strike
during the night or weekend, turning computer files into unintelligible
code.
-
- Unlike conventional viruses, Remote Explorer,
as it calls itself, can infect a machine without the user having to open
a file - usually an attachment to an e-mail.
-
- Even more worrying, the virus is so sophisticated
it can spread through a network without having to hitch a ride on an e-mail
or file. It then uses an internal clock to strike at a quiet time, because
it will take longer for problems to be detected.
-
- Last week computer security experts at
Network Associates' UK base in Aylesbury, Bucks, wrote a program that can
detect the virus and destroy it. It is now available on the Internet at
www.nai.com.
-
- But the virus writer may have an even
more sophisticated version he is waiting to unleash. Peter Watkins, general
manager of Network Associates' Security Division in San Francisco, says
that whoever is behind the threat is the most sophisticated virus writer
he has come across.
-
- "For sheer complexity and the obvious
in-depth knowledge of its creator, nothing comes even close," he says.
"When we first had the virus shown to us we were really worried. We
looked at what it could do and realised that this was no ordinary virus.
They are normally fairly simple - just a few lines of code that the user
has to accidentally activate. They may then erase a few files and normally
that's it.
-
- "This new virus is thousands of
lines long. It's got half a megabyte of code in it. We've been through
the code now and it is clear this guy really knows what he is doing and
probably has a lot more tricks up his sleeve. It is worrying."
-
- The name Remote Explorer is a joke on
the part of the virus writer because the virus works by using a function
of Windows NT called Remote Explorer. This constantly scans the network
an NT terminal is linked to so incoming mail or files can be spotted. The
new virus is able to use this monitoring system to spread itself around
a system without bringing attention to itself.
-
- According to Watkins the virus is so
clever it can infect applications, such as a word processor or spreadsheet,
without the user knowing.
-
- "It can just sit there and take
on the look of the program's icon so the user has no idea his system has
been infected," he says. "It just sort of wraps itself around
the application and mimics it. Then, at the alloted hour, its internal
clocks ticks down and it strikes.
-
- "The main thing it appears to do
is to encrypt data so the user cannot get hold of it. We're pretty confident
we can restore the data for our customer who was the first to be hit but
that's only after we've had a team of security, Windows NT and networking
exports in America and Britain working day and night on it."
-
- The Remote Explorer is now mainly feared
for what it may do in the future. While this version has shown how knowledgeable
its author must be, it also hints that there is worse to come.
-
- "Going through the thousands of
lines of code we've found all kinds of possibilities that might be activated
in the second version of this," says Watkins.
-
- "There are several architectures
and facilities within the virus that the writer seems to have chosen not
to activate right now. If he does, it could make the virus a whole lot
more destructive. It would erase files, rather than just encrypt them and
it would probably be even more prolific at spreading across a network without
being spotted."
-
- There is no evidence that the virus writer
is intending to blackmail companies with the threat of data loss. It would
appear the program is so complex that the writer may be creating viruses
simply as an intellectual challenge.
-
- "We don't know anything about who
wrote this," says Watkins. "But it's fair to say there are some
virus writers out there who want to show off and say: 'Hey, look at what
I can do'. It doesn't make the virus any less destructive, particularly
if there are further versions waiting to be launched. Also, if the author
posts the code on an Internet site, somebody more malicious could have
a field day with it."
|
