WinNT:RemExp

The RemExp virus has been found in one large US company in December 1998. It is the first virus which stays resident as a NT system service when executed with administrator priviledges. It infects Windows executable files (PE) and is able to spread over the local NT network when the administrator is logged in.

Recognition:
To determine whether the RemExp service is active, you can use the Services applet in the NT Control Panel. If there is "Remote Explorer" listed as a service, the system is infected. If the TASKMGR.EXE contains IE403R.SYS or TASKMGR.SYS in the Processes tab, the system is infected.

Targets of infection:
RemExp scans local and shared remote drives. It looks for EXE files and infects them. It compresses the host files, so they are not functional anymore. When infected file is run, virus decompresses the original file into temprary file, runs it and then deletes it.

How Infection works:
Virus does not infect the files which are executed. Instead, it searches the files randomly every ten minutes. The virus infection works with much higher priority in non-working hours.

Viruses
Viruses in the Wild Virus database history Virus report form Virus report summary Eicar Test File
Subscription Services
VPS (iAVS) Subscr. service
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page