systemnt.exe fix

Please note that this document is now outdated - most major antivirus programs should detect and remove systemnt.exe automatically. This document is here for historical purposes only.

Overview

This document describes one solution for removing systemnt.exe from WinNT-based systems.

"systemnt.exe" is believed to be a backdoor trojan; it exploits several known security holes in NT-based operating systems to install itself remotely. It's something new: on June 24, 2004, this was the only available documentation on the subject.

systemnt.exe has been found running on Windows XP Pro, Windows 2000 and 2000/2003 Server machines, all of which were patched before the infection. The program is not discovered by AdAware, Spybot S&D or SpySweeper.

The symptoms of systemnt.exe are:

There has also been a report of increased activity on port 445 and the removal of administrative and hidden shares from servers. There may be others; one diagnosis performed by Trend Micro suggests that this worm exploits a number of vulnerabilities and is used to attack weak passwords and harvest various CD keys. That assessment is available here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.DA&VSect=T

As of June 25th, the "Overview" section of the Trend Micro is incorrect, and appears to be a placeholder page; their process will not work properly. Following the instructions below is recommended until antivirus updates are widely available.

Removal

Once you find out that it's running on a system, you must not log in to that machine as administrator directly. If you do, the program will use your adminstrator privileges to install itself as a service, which will be running as LOCAL_SERVICE after the next reboot. Instead, follow the following steps:

  1. Log the user out and restart the computer.
  2. Hit F8 after the BIOS posts, to get into the WinXP boot menu.
  3. Choose "Safe Mode With Command Prompt"
  4. From the comand prompt, type:

    cd c:\windows\system32\
attrib -s -h -r systemnt.exe
delete systemnt.exe

  5. Reboot and log in as administrator normally.
  6. Run RegEdit, search for "systemnt.exe" and delete all registry entries you find. The critical ones are:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

    In each of these, you need to remove this entry:

    "Microsoft Update Manager"="systemnt.exe"
  7. Close RegEdit and reboot.
  8. Log in as administrator normally.
  9. Under Control Panel, System find the system restore tab and turn off system restore. If you don't, the problem will likely come back.
  10. Run a full Windows Update (open www.windowsupdate.com with IE) and install all of their critical patches.

Until the effects of this program are fully understood, infected machines should not be trusted; right now a bare-metal reinstall is the only way to be certain that your systems are not still compromised.

An earlier version of this document provided a proposed fix using Mcafee AV version 7, and said that you could prevent reinfection by checking the "Unwanted programs" and "Joke programs" options in the "On Access Scan Properties" dialog. That suggestion has been verified incorrect, and been removed. However, McAfee has recently updated their .DAT files, and any machine that has been updated on or after June 28th should be protected.

As of June 28th, the latest updates from all major antivirus vendors should include protection against systemnt.exe. If you have any additional information, please e-mail me: mhoye at off.net or post a reply to my weblog, at:

http://neon.polkaroo.net/~mhoye/blarg/archives/002302.php

This document will be updated as more information is collected.

Peace, yo.

- Mike Hoye

The original of this document is available at http://neon.polkaroo.net/~mhoye/documents/systemnt.exe.fix.html
Last updated June 28, 12:15 PM EST