systemnt.exe

A printable version of these instructions is now available here. It was last updated June 28, 12:15 PM EST.

This blog entry and that document will be updated whenever new information is available.

Two machines at work today have been infected with something that I can’t find any documentation about. The symptoms, for us, are pornographic IE popups and a system that quickly bogs down to an unusable crawl. Other reported symptoms include increased activity on port 445 and missing administrative or hidden shares (any shares with “$” in their names) from servers.

The culprit seems to be a program called “systemnt.exe”, which you’ll be able to find in c:\windows\system32\ where it is concealed as a system/hidden/readonly file. There are a raft of registry keys pointing at that program, all of which are quickly reinserted into the registry if they’re deleted while it’s running. It won’t show up with a simple file search.

It was discovered running on two machines, one Windows 2000 Server and one XP Pro, both of which were fully patched as of about a week ago. On the 2000 machine, it couldn’t be shut down even in safe mode, because somebody (God, I wish I knew who) was logged in as administrator and, well, apparently something bad happened.

I don’t know what the infection vector is, or fully understand what’s going on. I’m not an expert at this
security analyst gig; I might be a talented amateur.

I’m currently terrified.

I was doing this whole WinAdmin job during the CodeRed, MSBlast and Sasser breakouts, and I hated every minute of it. I’d like to think that I’m being paranoid, but this smells like something new, and something that’s going to get ugly very, very quickly.

Boy, being wrong about this would feel great.

UPDATE: Systemnt.exe is a backdoor trojan, a worm that exploits several known security holes in NT-based systems to install itself remotely. Once you find out that it’s running on the system, you must not log in to that machine as administrator directly. If you do, the program will use your privileges to install itself as a service, which will be running as LOCAL_MACHINE after the next reboot. Instead, follow the following steps:

  1. Log the user out and restart the computer.
  2. Hit F8 after the BIOS posts, to get into the WinXP boot menu.
  3. Choose “Safe Mode With Command Prompt”
  4. From the comand prompt, type:
    cd c:\windows\system32\
    attrib -s -h -r systemnt.exe
    delete systemnt.exe
    
  5. Reboot and log in as administrator normally.
  6. Run RegEdit, search for “systemnt.exe” and delete all registry entries you find. The critical ones are:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    

    In each of these, you need to remove this entry:

    "Microsoft Update Manager"="systemnt.exe"
  7. Close RegEdit and reboot.
  8. Log in as administrator normally.
  9. Under Control Panel, System, find the system restore tab and turn off system restore. If you don’t, the problem will likely come back.
  10. Run a full Windows Update (open www.windowsupdate.com with IE) and
    install all of their critical patches.

Until the effects of this program are fully understood, infected machines
should not be trusted; right now a bare-metal reinstall is the only
way to be certain that your systems are not still compromised.

An earlier version of this document provided a proposed fix using
Mcafee AV version 7, and said that you could prevent reinfection by
checking the “Unwanted programs” and “Joke programs” options in the
“On Access Scan Properties” dialog. That suggestion has been verified
incorrect, and been removed. However, McAfee has recently updated their
.DAT files, and any machine that has been updated on or after June 28th
should be protected.

As of June 28th, the latest updates from all major antivirus vendors
should include protection against systemnt.exe.

If you have more information, or another technique that works, please leave a note in the comments. Again, a printable version of this information is available here.

24 Comments

  1. Guillaume
    Posted June 24, 2004 at 1:02 am | Permalink

    You know, I’ve had a few problems with things like that and there’s one thing that always helped me. http://www.lavasoftsupport.com Usually, when I have an unsolvable problem that has to do with spyware or malware, they always manage to solve my problem. And also I usually submit the application that causing the problem so that in the next patch, other people that are having the same problem with have it alleviated.

    So in other words, just use adaware, it’s free, it’s relatively fast, and quite effective. Thanks to adaware, spybot S&D, spy sweeper, AVG Antivirus, and BlackIce, I’m now officially paranoid and spyware/malware free.

    Oh, and if you think this is bad, wait until some of these genetic viruses I’ve been hearing about get out and fast enough.It’s going to be one hell of a ride!

  2. Mike Hoye
    Posted June 24, 2004 at 1:18 am | Permalink

    I should have mentioned this: as of last night, with up-to-date files, none of AdAware, Spybot S&D and Spy Sweeper or McAfee’s Enterprise Edition software picked this up.

    More news as news is warranted.

  3. Posted June 24, 2004 at 3:00 am | Permalink

    Hmmm… this sounds curious. If it’s not too much trouble, do you think there’s any way I could nab a copy of the executable? I’d like to take a peek within to see if it matches up with anything being mentioned on the usual security-related mailing lists.

  4. SysAdm
    Posted June 24, 2004 at 7:14 pm | Permalink

    I would like to Thanks you for posting this info.

    I had similair issue. It all stared yerterday when I started seeing lots of activity on port 445 from vpn users, since that the port used by virus, I started shuting down the ports and informing them to patch and look for virus.

    Running AV and all spyware tools got me nothin and even after patching they were still flooding the network (because they were infected, what? I have no clue).

    Today I had chance to look at one machine and noticed systemnt.exe which was in run and task mgmr as well as running as service. Quick serach on google got me here and wow got the info and cleaned up.

    Thanks once again for sharing this unknown piece of info.

  5. Mike Hoye
    Posted June 24, 2004 at 7:36 pm | Permalink

    I’m glad that Google’s picked it up. It doesn’t seem to be doing that reliably yet, but it shouldn’t take long.

  6. Salty
    Posted June 24, 2004 at 7:40 pm | Permalink

    Great stuff gents, found several systems running this creepy crawler! Neither ad-aware or spybot say her comming but she got us! 10 systems and still cleaning, not sure yet the 100% method of stopping further infections… Keep the string going, we’ll find it soon…

  7. Creeper
    Posted June 24, 2004 at 9:29 pm | Permalink

    This post is much appreciated. No other documentation could be found, and our symptoms matched yours exactly. We had already patched and ran ad-aware and other malware scanners. So far the fix is keeping them from broadcasting wildly. It seems to have spread quickly though, had about 20 systems with this CRAP! Enough with the Gay porno popups!

  8. Anonymous
    Posted June 24, 2004 at 10:32 pm | Permalink

    Check out housecall.trendmicro.com to run a free online scan. Trend detects it as a NASTY new virus, called worm_rbot.da. The description fits perfectly so this might be the beast. Check the Windows Update patch level of ALL the machines on your network.

    I hope it can’t do all the stuff listed in their technical notes…

  9. Mike Hoye
    Posted June 24, 2004 at 11:38 pm | Permalink

    Thank you, Anonymous.

  10. Jesse
    Posted June 25, 2004 at 1:27 am | Permalink

    Put a systemnt.exe file in the C:\Winnt\system32\ folder or in C:\Windows\system32\ depending on the OS. Make the file Read Only or remove all permissions from it.

  11. sysadm
    Posted June 25, 2004 at 12:56 pm | Permalink

    Check this out. Update2

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.DA&VSect=T

    Check this out. Also all AV vendor have update for this new virus but they are still not available to general public. Ask them if you are infected, I got from my AV vendor.

  12. Mike Hoye
    Posted June 25, 2004 at 1:47 pm | Permalink

    Thank you, Jesse and Sysadm.

  13. Jesse
    Posted June 25, 2004 at 5:52 pm | Permalink

    Did it work? I’ve been doing the same god-damn thing all day, all my computers have been infected in one way or another. We already submitted the virus to symantec, and there is only another site on the net about this. I’m posting to that one too, I need to get rid of this shit!

  14. Mike Hoye
    Posted June 25, 2004 at 6:02 pm | Permalink

    Replacing systemnt.exe with an empty placeholder doesn’t work quite right, but it does prevent reinfection. Right now, the only thing that has worked for me is to follow the list I’ve got up there, and then do a full Windows Update.

  15. sysadm
    Posted June 25, 2004 at 7:12 pm | Permalink

    Update3

    Norton AV lastest update is catching this worm. if you are using Mcafee, they have beta dat for this. Most AV vendors are able to identify and clean.

    Btw anyway aware of how its spreading ? My guess is unpatched IE vuln as I have seen fully patched machine with AV getting infected.

    Check this out

    http://news.com.com/2100-1002-5229707.html?tag=yt

    Looks like he is talking about the same, any one seen redirection to i-Lookup.com site ?

  16. Road Rage
    Posted June 25, 2004 at 7:29 pm | Permalink

    Not to stand in line to pat you on the back, but your blog saved my azz today, Thanks!

    I too blocked out port 445 TCP outbound, and also shunned the address’ that the traffic was destined for. I have uploaded to http://www.virustotal.com for analysis:

    Virus Total
    _______________________________________________

    Scan results
    File: systemnt.exe
    Date: 06/26/2004 01:14:54
    —-
    BitDefender 7.0/20040625 found [Backdoor.SDBot.JK]
    eTrustAV-Inoc 4641/20040624 found nothing
    F-Prot 3.14e/20040624 found nothing
    Kaspersky 3.0/20040626 found [Backdoor.Rbot.gen]
    McAfee 4369/20040624 found nothing
    NOD32v2 1.795/20040625 found [probably unknown CRYPT.WIN32]
    Panda 7.02.00/20040625 found nothing
    Sybari 7.50.1138/20040625 found [Worm.RBot.AG]
    Symantec 8.0/20040625 found [W32.Spybot.Worm]
    TrendMicro 1.00/20040625 found [WORM_RBOT.DA]

    Big-Bucket-O-Props and keep the 411 coming!

  17. Mike Hoye
    Posted June 28, 2004 at 12:36 pm | Permalink

    Thank you, sysadm and Road Rage.

    I’ve just updated this entry and its printable companion for what I hope will be the last time. The fix works, and doing the Windows Update rain dance prevents reinfection. So I think that we’ve managed to beat this one down.

    I’m grateful for all the help I’ve received here and in e-mail. Thanks again, everyone.

  18. Jesse
    Posted June 28, 2004 at 1:15 pm | Permalink

    Does anyone have Djookpbm.exe running? For some reason, when this problem started happening, Djookpbm.exe started giving me problems as well…

    Le’me know

  19. Sysadm
    Posted June 28, 2004 at 2:07 pm | Permalink

    Ok guys this one is history but I found a NEW ONE. Update4 : In other part of the company we were battling with another UNKNOWN and new virus ? The file in question is vsmon.exe and around 92 KB(the same exe used by Zone Alarm) but this one is malicious. It scans for one of IRC servers and once connected starts to scan on port 135. You should see high activity on tcp port 135. NO AV have the cure for it as of today. Anyone out there facing the same ?

  20. Road Rage
    Posted June 28, 2004 at 2:13 pm | Permalink

    I just looked at an infected machine, but did not
    see any file that resembles “djookpbm.exe”. Two other things that have been usefull, we have been using the “kill” tool from the resource kit instead of booting to safe mode, and we have also noticed that some development servers who do not have the latest sp, but do have some security controls, have not been infected. Another big help has been to create an access list applied to outbound that restricts tcp 5555. This is yet another good example why “policy of least principle” helps. Many AV vendors claim they will
    release an update/fix by EOD.

  21. Jesse
    Posted June 28, 2004 at 6:21 pm | Permalink

    Last time I did a search for djookpbm.exe there was nothing about it, now I believe this page should come up. Symanctec caught it with the virus name backdoor.berbew.F and while it didn’t kill it while it caught it, once I rebooted it, quarantined the selection. I did not delete the file so that I would ahve it documented (sort of) but the new (6/25/2004) definitions got it.

    J

  22. Anonymous
    Posted June 30, 2004 at 11:54 pm | Permalink

    First, a big thank you to Mike for this resource. You’ve provided a great public service by posting the removal instructions online. Now that we know how to kill this bug… has anyone studied or dissected it? I took an infected box and put it on a test network (not connected to the Internet). Firewall logs showed that the bug was randomly scanning port 445 in the last 2 octets of the infected PC’s network. Ethereal showed it was also attempting to open an outbound connection on port 5555 to a remote server (IRC maybe? I’m no whiz at ethereal). And openports showed it was listening on port 113. Scary, but fascinating. Any computer forensics folks out there?

  23. Mike Hoye
    Posted July 1, 2004 at 1:15 am | Permalink

    The Trend Micro analysis dovetails nicely with what you’ve discovered, aside from their “In The Wild: No” claim. Infected machines try to infect other local machines via known RPC exploits, collects a few CD keys and connects to an IRC channel for, well, remote controlling.

  24. Posted July 1, 2004 at 7:21 pm | Permalink

    Just wanted to say thanks…
    the documentation was a life saver

    You’re the main man this week!!!