blarg?

A couple of hundred people have read my SystemNT fix, which makes me feel good. The fact that I had to write it at all doesn’t, but that’s life; as a Windows administrator I am convinced, much like those lunatic anorexics, that having to reboot thirty or forty times a day isn’t a “disease”; it’s actually a “lifestyle choice”.

I’ve got to tell you, though, that I’ve had to read this sentence an awful lot recently:

Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk.

Really. Great.

Dear Microsoft: Fuck you, too. I’m running production machines here, and if I install a beta service pack on my production machines, I’m sure that knowing that they are not at risk from this particular threat will be a great consolation to me while I’m sitting at home without a job.

A printable version of these instructions is now available here. It was last updated June 28, 12:15 PM EST.

This blog entry and that document will be updated whenever new information is available.

Two machines at work today have been infected with something that I can’t find any documentation about. The symptoms, for us, are pornographic IE popups and a system that quickly bogs down to an unusable crawl. Other reported symptoms include increased activity on port 445 and missing administrative or hidden shares (any shares with “$” in their names) from servers.

The culprit seems to be a program called “systemnt.exe”, which you’ll be able to find in c:\windows\system32\ where it is concealed as a system/hidden/readonly file. There are a raft of registry keys pointing at that program, all of which are quickly reinserted into the registry if they’re deleted while it’s running. It won’t show up with a simple file search.

It was discovered running on two machines, one Windows 2000 Server and one XP Pro, both of which were fully patched as of about a week ago. On the 2000 machine, it couldn’t be shut down even in safe mode, because somebody (God, I wish I knew who) was logged in as administrator and, well, apparently something bad happened.

I don’t know what the infection vector is, or fully understand what’s going on. I’m not an expert at this
security analyst gig; I might be a talented amateur.

I’m currently terrified.

I was doing this whole WinAdmin job during the CodeRed, MSBlast and Sasser breakouts, and I hated every minute of it. I’d like to think that I’m being paranoid, but this smells like something new, and something that’s going to get ugly very, very quickly.

Boy, being wrong about this would feel great.

UPDATE: Systemnt.exe is a backdoor trojan, a worm that exploits several known security holes in NT-based systems to install itself remotely. Once you find out that it’s running on the system, you must not log in to that machine as administrator directly. If you do, the program will use your privileges to install itself as a service, which will be running as LOCAL_MACHINE after the next reboot. Instead, follow the following steps:

  1. Log the user out and restart the computer.
  2. Hit F8 after the BIOS posts, to get into the WinXP boot menu.
  3. Choose “Safe Mode With Command Prompt”
  4. From the comand prompt, type:
    cd c:\windows\system32\
    attrib -s -h -r systemnt.exe
    delete systemnt.exe
    
  5. Reboot and log in as administrator normally.
  6. Run RegEdit, search for “systemnt.exe” and delete all registry entries you find. The critical ones are:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    

    In each of these, you need to remove this entry:

    "Microsoft Update Manager"="systemnt.exe"
  7. Close RegEdit and reboot.
  8. Log in as administrator normally.
  9. Under Control Panel, System, find the system restore tab and turn off system restore. If you don’t, the problem will likely come back.
  10. Run a full Windows Update (open www.windowsupdate.com with IE) and
    install all of their critical patches.

Until the effects of this program are fully understood, infected machines
should not be trusted; right now a bare-metal reinstall is the only
way to be certain that your systems are not still compromised.

An earlier version of this document provided a proposed fix using
Mcafee AV version 7, and said that you could prevent reinfection by
checking the “Unwanted programs” and “Joke programs” options in the
“On Access Scan Properties” dialog. That suggestion has been verified
incorrect, and been removed. However, McAfee has recently updated their
.DAT files, and any machine that has been updated on or after June 28th
should be protected.

As of June 28th, the latest updates from all major antivirus vendors
should include protection against systemnt.exe.

If you have more information, or another technique that works, please leave a note in the comments. Again, a printable version of this information is available here.

Last week, again, I spent a few hours throwing a frisbee around on Parliament Hill. Sean and I met a few other players, and we played a few points of of pick up before heading off to dinner. That night there were a few hundred kids around, junior-high I think, and Sean and I threw with them for a little bit too. I’m sometimes out there after dark, but this time we got there around 7:30. It was a great night, not too hot, and with a tiny bit of breeze pushing around the handful of clouds in the sky.

At some point I looked up at the Peace Tower, and for a moment I was struck by the enormity of what I and a few hundred other people from all over the world were very casually doing: wandering around on the lawn in front of the seat of Canada’s political power, enjoying a beautiful summer afternoon without a care in the world. There were a few RCMP cars around, up at the front doors of Parliament and around the periphery, and every now then one would drive around the ring road and look around, and that was it.

One of the tour guides was explaining the Eternal Flame and its significance to a group of those kids, but he also said that even though they call it the Eternal Flame, they do have to shut it off twice a year for routine maintenance. For some reason, that struck me as well; the guide didn’t tell the kids an uplifting, patriotic fabrication. He said “This is the way we like to tell the story, but you should also know the way it really is”. And for some reason, the fact that the Eternal Flame in front of the Peace Tower needs biannual maintenance seemed like a profound truth, and a way better thing to tell the kids than some elegant, inspirational lie.

It occurred to me then that the most important right we enjoy might be the right to live as though we are not afraid. Not of the government or the police, not of nebulous, undefined (though, strangely, color-coded) threats and not of each other. Everything else, the freedoms to speak out, move around, engage in commerce or activisim, they all fall out of that.

There is so much, so much social and physical infrastructure that needs to exist to support that freedom, from honest cops and a fair, uncorrupt justice system to reliable sewage systems and clean running water. A transparent electoral process and the confidence that a dropped brick won’t cave in a CSA-approved hard hat, or that this drug I’m taking for my headaches isn’t going to give me deformed children. A reliable electrical grid and the fact that I’ll never have to choose between giving my child a meal or a tetanus shot, and that when I am old, I will not be abandoned or forgotten.

Canada is a long way from perfect; some of the warts on my country are awfully ugly, and there’s plenty of work to be done, but a night like that fills me with optimism. There might be half a dozen countries in the world where you can walk around on the front lawn of the main government building, for no other reason than you’ve got a disc you feel like throwing around with your friend.

Today, the air is rank with the smell of justice.

Given the way the rest of the world
is going, all that is about as uplifting as hanging air fresheners around Maidanek, but when all you’ve got is a nailgun every problem could be the second coming.

My schedule is as follows:

  1. Chinese food tonight, 9:00, Chu Shing. All are, as always, welcome.
  2. Kingston tomorrow night, very briefly, followed by a drive to Toronto, for the weekend.
  3. Nose back to the grindstone Monday morning.

If you’d like to be a party to any of these things, jump right in. I can only recommend the first two, though.

Folks, I’m not an international-calibre athlete, but I’ve got some important news for you that I urge, I exhort you to take to heart. Hold this advice to your bosom like a small child, and yet follow it like a papal edict. It will be worth your while, I promise.

Some of you might play a sport of some kind that involves a lot of running around. Some subset of you in that group, men especially, might wear compression shorts to the game, with the idea of avoiding some chafing, fending off cramping or, gentlemen, keeping everything in one place. As plans go, this one is without flaw.

However, some of you might come home in the evening from your chosen contest, fatigued from battle, and you might sit yourself down or your couch, to take the weight off of your abused feet, and the warm glow of the television might soon cause your eyelids to droop. And therein lies the danger, and the reason for today’s advice:

Heed me, my fellows. Pay close attention. Write this down if you have to: you must not, under any circumstances, fall asleep in your compression shorts.

It’s all bad. All of it.

Trust me on this one.

“I’m sorry to have written you a four-page letter”, the old saw goes, “but I did not have the time to write you a one-page letter.” Well, at the famous Ecole de la Grande Blarg, we strive every day to push back the limits of sensical narrative, straining metaphor to the breaking point and pushing platitudes past cliche and even absurdity until they disconnect from meaning completely. The day’s effort of distilling a chapter down to a single page is as nothing, a piffling use of our narrative might; today I am pleased to report that I have taken this process miles further than had previously been thought possible: I have taken a full week’s experiences, literally reams of fuming bile and florid invective, and distilled it down to its consequential essence: nothing at all.

Take that, pedants. Furthermore, Ha!

Today, I found out via Scientific American that Microsoft has assembled one of the biggest braintrusts the world of computers has ever seen.

That’s nice. I’ve heard a rumor that in Germany they have one long, elaborate compound word that means, roughly, “stabbed in the colon by a service pack.”

This week, Outlook (not even the hellspawned Outlook Express) fucked two of my users over in a way that’s almost completely undocumented (that Microsoft apparently doesn’t even know about). Yesterday, and I swear to God this is true, I had to rebuild an XP box from scratch because a toolbar was in the wrong corner of the screen when I shut it down, making logging in again impossible. If it had been in the other corner of the screen, I apparently would have been fine.

People ask me why I keep using Linux, enormous pain in the ass that it is, and it’s simple: at least I can change it. Microsoft products steal time from me over and over again in ways that are completely immutable and too stupid to forgive; little, counterintuitive things, like not being able to logout without closing Office first, and big ones like the fact that “repairing” and “reinstalling” are exactly the same thing, even if it’s a single problem registry entry or corrupted file. Obscure configuration options, counterintuitive, hidden or outright idiotic options, bizzare, outlandish error messages, half-assed documentation and, my God, a set of tools so clownish that my days feel like I’m trying to put out a fire with a bucket full of confetti.

I absolutely fucking hate it when things that used to be trivially easy become hard or impossible, and that gets called progress. I’m glad Microsoft is innovating; innovation is great, I love neat new things. But if the people implementing those shiny new toys, are the same people they’ve got boning the process now, all that’s going to come out of it is a bunch of second-rate
shiny, knockoffs for which no originals exist.

This week has been a week of small optimizations and simple tools; for example, I have managed to grind my dental enamel into a fine powder, using only conversations with my coworkers and my own sunny disposition.

More on this later, perhaps when I’m seeing red because I’m moving away from this job at a very high velocity, instead of the reason I’ve got now.

Don’t forget, everyone: 9:00 tonight at Chu Shing. Everybody’s welcome.