A printable version of these instructions is now available here. It was last updated June 28, 12:15 PM EST.
This blog entry and that document will be updated whenever new information is available.
Two machines at work today have been infected with something that I can’t find any documentation about. The symptoms, for us, are pornographic IE popups and a system that quickly bogs down to an unusable crawl. Other reported symptoms include increased activity on port 445 and missing administrative or hidden shares (any shares with “$” in their names) from servers.
The culprit seems to be a program called “systemnt.exe”, which you’ll be able to find in c:\windows\system32\ where it is concealed as a system/hidden/readonly file. There are a raft of registry keys pointing at that program, all of which are quickly reinserted into the registry if they’re deleted while it’s running. It won’t show up with a simple file search.
It was discovered running on two machines, one Windows 2000 Server and one XP Pro, both of which were fully patched as of about a week ago. On the 2000 machine, it couldn’t be shut down even in safe mode, because somebody (God, I wish I knew who) was logged in as administrator and, well, apparently something bad happened.
I don’t know what the infection vector is, or fully understand what’s going on. I’m not an expert at this
security analyst gig; I might be a talented amateur.
I’m currently terrified.
I was doing this whole WinAdmin job during the CodeRed, MSBlast and Sasser breakouts, and I hated every minute of it. I’d like to think that I’m being paranoid, but this smells like something new, and something that’s going to get ugly very, very quickly.
Boy, being wrong about this would feel great.
UPDATE: Systemnt.exe is a backdoor trojan, a worm that exploits several known security holes in NT-based systems to install itself remotely. Once you find out that it’s running on the system, you must not log in to that machine as administrator directly. If you do, the program will use your privileges to install itself as a service, which will be running as LOCAL_MACHINE after the next reboot. Instead, follow the following steps:
- Log the user out and restart the computer.
- Hit F8 after the BIOS posts, to get into the WinXP boot menu.
- Choose “Safe Mode With Command Prompt”
- From the comand prompt, type:
cd c:\windows\system32\ attrib -s -h -r systemnt.exe delete systemnt.exe
- Reboot and log in as administrator normally.
- Run RegEdit, search for “systemnt.exe” and delete all registry entries you find. The critical ones are:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
In each of these, you need to remove this entry:
"Microsoft Update Manager"="systemnt.exe"
- Close RegEdit and reboot.
- Log in as administrator normally.
- Under Control Panel, System, find the system restore tab and turn off system restore. If you don’t, the problem will likely come back.
- Run a full Windows Update (open www.windowsupdate.com with IE) and
install all of their critical patches.
Until the effects of this program are fully understood, infected machines
should not be trusted; right now a bare-metal reinstall is the only
way to be certain that your systems are not still compromised.
An earlier version of this document provided a proposed fix using
Mcafee AV version 7, and said that you could prevent reinfection by
checking the “Unwanted programs” and “Joke programs” options in the
“On Access Scan Properties” dialog. That suggestion has been verified
incorrect, and been removed. However, McAfee has recently updated their
.DAT files, and any machine that has been updated on or after June 28th
should be protected.
As of June 28th, the latest updates from all major antivirus vendors
should include protection against systemnt.exe.
If you have more information, or another technique that works, please leave a note in the comments. Again, a printable version of this information is available here.