Anti Virus Software &Home Pages

Back to Web Utility Pages
Back to the Lauderdale County Homepage
To the Windows 3.x Anti-virus Files
How to Deal with: 
Viruses online and offline
FAQ for Virus and 
Submit a question for the FAQ
"Happy99" email attachment virus info
All local copies linked to here are for Win95 unless noted
Download Calculator now available to figure approximate download times
Navigation Table
McAfee Antivirus
Norton Antivirus
Dr. Solomon
Thunderbyte
F-Secure
PC-cillin 95*
CarmelAnti-Virus*
Download Calculator
Plugins and Trojans
    *Local copy Not Available- Home Page Link

 
 

McAfee Anti-Virus 
Programs, DATS and Utilities

Version
Size
Date
3.1.9
4835 KB
08/13/98
4.0.2
8511 KB
12/26/98
Virus Definition Updates( .DAT Files)
Version 2.x
Version 3.x
Version 4.x
Dat-9803.Zip
March 98
443 KB
This is the last one for version 2.x
dat-3205.zip
June 11, 1999
1817 KB


4048updt.exe
October 23, 1999
1802 Kb
Utility
Microsoft Excel File Scanner- For Macro Viruses
Virus Scanner for MS Excel Files 426KB 02/12/98

Download Calculator
[Tested to work only with Netscape 3 or above or Internet Explorer 4 or above]

Internet File Transfer Calculator
(requires Javascript)

Round file size to even kilobyte (KB), megabyte (MB) or gigabyte(GB).
Input size and click the appropriate  button.

These are Approximate transfer times

 Your Speed Hours  Minutes  Seconds
9.6 Kb
14.4 Kb
28.8 Kb
33.6 Kb
ISDN (64 Kb)
ISDN (128 Kb)
T1 (1.54 Mb)


 

Norton Antivirus
Home Page

Version
Size
Date
 Norton 32
2185 KB
02/13/98
Norton AV 95 ver 2.01
2014 KB
02/13/98
Norton AV  5.0
30 day trial version
11906 KB
09/01/98
Norton Internet Security 2000 and Norton Anti-Virus 2000
30 day trial version
47559 KB
02/22/2000
Virus Definitions update
Versions
Size
Date
Pre-Version 5.0 Norton Virus 
Definitions update
1975 Kb
February '98
[these are now handled with "Live Update"]
Dr. Solomon's Antivirus Toolkit
Home Page
Version
Size
Date
Find Virus
for Windows 95
3194 Kb
02/13/98
Virusscan Command Line
4.02
2979 KB
04/10/99


ThunderByte AntiVirus
Home Page

Version
Size
Date
Windows 95 version 8.01
1005 KB
02/12/98


F-Secure Antivirus
Home Page

Version
Size
Date
Windows 95
5.48 MB
04/10/99
Windows 98 Plugin Viruses and Trojans- Windows 98 changes some of the networking abilities of Windows 95, making the configuration much simpler. On the face of it that appears to be a good thing, but it also allows for small server programs to be installed  in the system allowing remote users access and user priviledges to a PC connected to the Internet. The programs listed below are supposed to clean the registry settings that allow this and are listed by the name of the plugin virus.
Plugin
Size
Date
Netbus
151 KB
01/04/99
Back Orifice can be detected and removed with Norton Antivirus 5.0 as it is on the server here!
This Information courtesy Symantec's website:


Description: 
BackOrifice.Trojan is a program or applet that may cause detrimental affects to your system and should be deleted. 

Additional Comments: 
This is NOT a virus but a Trojan Horse program that may jeopardize your system's security. If a firewall is being used, your system should remain secured. Delete this file and its Win95 registry entry.

This Information courtesy Network Associates website:


   Virus Profile 

McAfee Online : Support : Virus Information Library 
Virus Name 
Back Orifice 

Date Added 
11/24/98 1:43:00 PM 

Virus Characteristics 
This is a software for remote computer control. It consists of two components - a server program and a client program. There are two types of client - command line driven and GUI. When the server program is run on a Windows95/98 machine, it copies itself to the local disk under the name " .exe" (first character is space, size is 124928 bytes) and installes a reference to that file in the registry so that it is run every time the machine restarts. The program hides its own presense - it is not visible as a task although it is running permanently in the background awaiting for commands comming from the client through the network. After the server program is installed on a computer, the person controlling the client has remote control over the machine running the server program. This requires both machines to be connected to the Internet. This control includes recording the keystrokes pressed, restarting or hanging the machine, running, accessing, modifying and transferring files. It can also transmit screenshots. The Orifice software is functionally very similar to Netbus software of the same kind. There are also many commercial programs for remote control (like Carbon Copy, SMS, PC-Anywhere) and the only substantial difference is that Orifice software tries to conceal its presence when active. The software also has a program to reconfigure the server application. Filename, TCP/IP port, registry key, password for client-server data exchange and additional DLL can be configured. 
 

 

Remote Explorer & Picture.exe are handled by McAfee Antivirus 4.02 with the most recent virus definitions installed
 This Information courtesy Symantec's website:

Description: 
This virus targets the Windows NT platform. It infects executable files on an infected WinNT machine as well as executable files on attached network drives. 

If a user with administrator privileges executes an infected program, the virus installs itself as a service called "Remote Explorer". The virus-installed service resides on the infected system as the file "IE403R.SYS" in the "\WinNT\System32\drivers" folder. On weekdays between 6AM and 3PM, the virus sets its thread priority to the lowest setting. On weekdays between 3PM and 6AM and on weekends, the virus sets its thread priority to one step above the lowest setting. Thus the virus becomes more active during "off-work" hours. This service also creates a process named TASKMGR.SYS every 10 minutes or so. 

The virus can infect files on attached network drive(s) over a Win-NT network provided another WinNT machine, with an identical admin-user log on to it, log on to the infected WinNT machine where the viral-service is running. When activated, the infection routine picks a directory at random on the shared drive(s) on one of the attached network drives. It proceeds to infect the EXE files in the chosen directory, and except for files with the extension .DLL or .TMP, it encrypts the remaining files in the directory. In infecting EXE files, the virus does not check if the file is Win32 or not; thus, some DOS EXE will get infected too. Since an infected EXE file is over 150K larger than the uninfected file, the infection is obvious. 

When infecting a Win32 EXE file (host), the virus creates a viral Win32 EXE file to replace the host. It adds the host's icon(s) into the infected file's ICON resource section, and it adds the GZIP-compressed host program into the infected file's RCDATA resource section. The infected file also carries a GZIP-compressed of PSAPI.DLL and a GZIP-compressed copy of the viral service module (IE403R.SYS) in its RCDATA resource section. The GZIP-compressed host is extracted into a temporary directory when an infected file is executed; the virus passes control to the extracted host after it runs its viral code. 

In the other Windows platforms, the virus does not work. In Windows 95, executing an infected file will give an error message about a missing DLL export. In Windows 98, executing an infected file will execute the host file but does not install the NT-specific viral service. 

Payload: 
The virus encrypts other files, except DLL and TMP files, in a directory that it chooses to infect. The encrypted file is GZIP-compressed and encrypted with a custom encryption. 

Repair Notes: 
 

IE403R.SYS and TASKMGR.SYS need to be deleted. You can remove the "Remote Explorer" service by rebooting to DOS and deleting IE403R.SYS from DOS. 

IE403R.SYS is in SYSTEM32\DRIVERS subdirectory of WinNT directory. TASKMGR.SYS is in WinNT directory. 

You can also download the stand-alone REREMOVE tool from SARC download web site to remove the virus-installed service and to inoculate the system. 

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage: 
      http://www.symantec.com/avcenter/download.html

Write-up by: Raul Elnitiarta and Darren Chi 
December 28, 1998 

 

This Information courtesy Network Associates website:


Remote Explorer 

This info last updated 12/30/98 

Discovered at customer site on December 17, 1998. 
Primarily targets Microsoft Windows NT Servers and Workstation systems. 
The virus is memory resident, encrypts EXE, TXT, and HTML files. 
Spreads through a LAN/WAN environment. 

Indications you are hosting the virus: 

Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected. 
Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected. 
Virus Characteristics 

Remote Explorer Ė the most outstanding characteristics is that it can move/transport itself without typical user intervention (passed on floppy, via email) and replicate. 

It is the first infection program that spreads on either NT Servers, and/or NT Workstations. It does so by compressing the target executable. 
The virus installs itself on a system by creating a copy of itself in the NT Driver directory and calls itself IE403R.SYS. It also installs itself as a service with the name "Remote Explorer". It also carries a DLL that supports it in the infecting and encryption process. 
Preliminary analysis tells us that Remote Explorer spreads by stealing security privileges of the domain administrator, which allows it to propagate to other Windows systems. Once there it infects files and compresses them in addition to encrypting data on a random basis.
Windows NT is the primary method for the continued spread of this virus. Other Windows operating systems can host infected files, but the virus can not spread further on these platforms. 
Can infect any EXE and when doing so uses a compression routine (a.k.a. GZIP, a UNIX based program) to make the file unusable. 
It uses an encryption algorithm on data files including TXT and HTML formats. It appears to choose a directory randomly, and infects files that meets the criteria it has set, and encrypts others that it canít infect. 
It is a 125-kilobyte file infector, comprised of approximately 50,000 lines of code. This is an extremely large and complex virus. 
Written in "C", an initial estimates is that it took one-person 200 or more man-hours to write and that person(s) used others to gain the knowledge and obtain additional precompiled code. 
It goes Memory Resident. A utility called RESCAN.EXE is available as RESCAN.ZIP from http://beta.nai.com/public/stand_alone. Thus the infected system can be cleaned without powering down when using RESCAN.EXE. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE. 
It carries a DLL with it to support it in the infection process. If the DLL is deleted it will make another copy. 
The virus has a time routine, which is designed to speed up the search and infection process during the period of 3:00 PM on any Saturday to 6:00 AM the following Sunday. 
The virus has no payload. 
The virus also has some interaction with the Dr. Watson program. Importance of this interaction is still under investigation. 
RESCAN.EXE can remove the encryption from the data files or decompress the infected files. RESCAN.EXE can remove it from memory without a reboot, remove the virus as a service, clean and repair the encrypted data files, and infected executables. Obtain RESCAN.ZIP from http://beta.nai.com/public/stand_alone. It is a command line utility with optional parameters. Also detection is available in the latest HRLYDATS.ZIP and in the 3201 QA approved .DAT set for VirusScan v3.x; removal is only available via RESCAN.EXE. 
 

Products available to users for protection against the "Remote Explorer" infection 

Virus signature updates are available for version 4.x , version 3.x and version 7.x engines. These signature updates DETECTION but do not clean/remove Remote Explorer. This will allow you to quarantine infected EXE and data files. 

The first 4.x engine products for VirusScan and NetShield NT have also just been released. Links are included to these products for reference. If you have already installed these products there is no reason to re-install. If you have not and are marshalling your network administrators to protect against this threat, we encourage you to move to this version. 

 


This page is designed and written by John Jenkins. If there are any questions or other issues about the content, email me, and I will deal with it in a timely manner. If specific help is requested an email address with an lctn.com or ecsis.net domain is required. As with all programs on the internet, you, the downloader, assumes all risk of file damage or viruses that these or any programs may contain that are received over the internet. Neither CSS, ECS, nor the author will be responsible for any damage done by any program received over the internet. Please note this includes programs that are virus free but may cause problems with other programs on your computer and programs that simply won't run right on a particular machine. 

Updated Tuesday, February 22, 2000