WinNT:RemExp

The RemExp virus has been found in one large US company in December 1998. It is the first virus which stays resident as a NT system service when executed with administrator priviledges. It infects Windows executable files (PE) and is able to spread over the local NT network when the administrator is logged in.

Recognition:
To determine whether the RemExp service is active, you can use the Services applet in the NT Control Panel. If there is "Remote Explorer" listed as a service, the system is infected. If the TASKMGR.EXE contains IE403R.SYS or TASKMGR.SYS in the Processes tab, the system is infected.

Targets of infection:
RemExp scans local and shared remote drives. It looks for EXE files and infects them. It compresses the host files, so they are not functional anymore. When infected file is run, virus decompresses the original file into temprary file, runs it and then deletes it.

How Infection works:
Virus does not infect the files which are executed. Instead, it searches the files randomly every ten minutes. The virus infection works with much higher priority in non-working hours.

Viry
Hlášení o viru Viry in the Wild Souhrn z hlášení Windows viry Starší windows viry 2002 Starší windows viry 2001 Starší windows viry 2000 Script viry Macro viry Testovací soubor EICAR Historie VPS
Zasílání informací
informace o standardní VPS
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Domovská stránka
Viry  starší windows viry 2000  WinNT:RemExp