Please note that this document is now outdated - most major antivirus programs should detect and remove systemnt.exe automatically. This document is here for historical purposes only.
"systemnt.exe" is believed to be a backdoor trojan; it exploits several known security holes in NT-based operating systems to install itself remotely. It's something new: on June 24, 2004, this was the only available documentation on the subject.
systemnt.exe has been found running on Windows XP Pro, Windows 2000 and 2000/2003 Server machines, all of which were patched before the infection. The program is not discovered by AdAware, Spybot S&D or SpySweeper.
The symptoms of systemnt.exe are:
There has also been a report of increased activity on port 445 and the removal of administrative and hidden shares from servers. There may be others; one diagnosis performed by Trend Micro suggests that this worm exploits a number of vulnerabilities and is used to attack weak passwords and harvest various CD keys. That assessment is available here:
As of June 25th, the "Overview" section of the Trend Micro is incorrect, and appears to be a placeholder page; their process will not work properly. Following the instructions below is recommended until antivirus updates are widely available.
cd c:\windows\system32\ attrib -s -h -r systemnt.exe delete systemnt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
In each of these, you need to remove this entry:
"Microsoft Update Manager"="systemnt.exe"
Until the effects of this program are fully understood, infected machines should not be trusted; right now a bare-metal reinstall is the only way to be certain that your systems are not still compromised.
An earlier version of this document provided a proposed fix using Mcafee AV version 7, and said that you could prevent reinfection by checking the "Unwanted programs" and "Joke programs" options in the "On Access Scan Properties" dialog. That suggestion has been verified incorrect, and been removed. However, McAfee has recently updated their .DAT files, and any machine that has been updated on or after June 28th should be protected.
As of June 28th, the latest updates from all major antivirus vendors should include protection against systemnt.exe. If you have any additional information, please e-mail me: mhoye at off.net or post a reply to my weblog, at:
This document will be updated as more information is collected.
- Mike Hoye