NH&AAlerts

About us
Products
How we work
News/Alerts
Contact info
  • December, 1998 - PICTURE.EXE

    PICTURE.EXE is a TROJAN that does not have the capability to spread like a virus. This Trojan was reported late December 1998. The file attached to an email was named PICTURE.EXE.

    When PICTURE.EXE is executed it would copy itself into the WINDOWS directory as NOTE.EXE.  It would also modify a file called WIN.INI in the WINDOWS directory and would change the "run" parameter to execute NOTE.EXE.  When Windows is rebooted, NOTE.EXE is then automatically executed.

    When NOTE.EXE is run it checks for the existence of a file $2321.exe in the windows folder. If it does not exist, the program then tries to create a temporary file on C:\ called file0001.chk.   If this succeeds it builds a list of .TXT and HTML files on the drive. The program repeats this for all drives (C:, D:, E:, etc) until it reaches a drive on which it cannot create the temp file (usually the CD-ROM drive). The list of files is then written to the file called $2321.dat and encrypted by adding 5 to each ASCII character. The program then exits.

    The next time NOTE.EXE is run (next system startup) the program reads the file list from $2321.dat and looks inside all the files listed. It then appears to create a list of URLs, from the users "C:\Windows\Temporary Internet Files" sub-directory and writes them to another file called $4135.dat, also in the windows folder. This file is also encrypted (by subtracting 5 from each ASCII character). The program then exits.

    If the user has AOL client software installed on the system, the program will also look inside the "C:\AOL\IDB\MAIN.IDX" file containing the user's cached username and password, presumably to send to the programs author, it attempts to send the files $2321.dat and $4135.dat to an Email address in China.

    Links to additional information:

    http://www.symantec.com/avcenter/venc/data/picture-exe-th.html
    http://www.nai.com/products/antivirus/picture_exe.asp
    http://www.sophos.com/downloads/ide/
    http://www.zdnet.com/zdnn/stories/news/0,4586,2187419,00.html
    http://www.zdnet.com/zdnn/stories/news/0,4586,2183935,00.html

  • December, 1998 - Remote Explorer

"Remote Explorer" is the first Windows NT virus that is able to run as an NT service.  A service runs in the background, and continues to operate even when nobody is logged on.

In order for the virus to automatically spread to other NT systems, the virus needs to be introduced by an administrator or through an account with administrator privileges.  When the infected file is run, the virus copies a file named IE403R.SYS into the Windows NT drivers directory.  It then installs and starts this file (which is infected with the virus) as a service called 'Remote Explorer'.

The virus may infect any EXE and also can use a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable.   It uses an encryption algorithm on data files including TXT and HTML formats.  It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it can't infect.

It does not spread on machines running Windows 95 or any other operating system. The Remote Explorer virus is extremely rare.  Likelihood of infection is very low.   At this time, only one company has been known to have been infected and the virus has not been known to have been posted on any Internet sites or hacker BBSs.

Links to additional information:

http://www.nai.com/products/antivirus/remote_explorer.asp
http://www.symantec.com/avcenter/venc/data/remoteexplorer.html
http://www.antivirus.com/vinfo/security/sa122398.htm
http://www.datafellows.com/v-descs/rich.htm
About usProductsHow we workNews/AlertsContact info