File Investigation Report
SYST.EXE
Cloaked MalwareYour PC may be infected. The presence of a file called SYST.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx will scan your PC in less than two minutes and check for millions of spyware and malware infections including SYST.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Worm
File Behavior
SYST.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- The Process is polymorphic and can change its structure
- Executes a Process
- This Process is a file infector which modifies program files to include a copy of the infection
- Writes to another Process's Virtual Memory (Process Hijacking)
- Can communicate with other computer systems using HTTP protocols
- This process creates other processes on disk
- Downloads program file(s) and other content from the web
- Registers a Dynamic Link Library File
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Opens browser pop ups
- Visits web sites on your PC without you knowing
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Disables Access to the Task Manager built into Windows
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- This Process Deletes Other Processes From Disk
- Terminates Processes
- Disables safe mode on your PC
- Includes file creation code which could be used to test for interception by security products
SYST.EXE has been the subject of the following behavior:
- Copied to multiple locations on the system
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
- Deleted as a process from disk
- Registered as a Dynamic Link Library File
- Created by processes which appear to be checking for interception by security products
Country Of Origin
The filename SYST.EXE was first seen on Jun 23 2007 in the following geographical regions of the Prevx community:
- The UNITED KINGDOM on Jun 23 2007
- SPAIN on Feb 19 2008
- The EUROPEAN UNION on Feb 19 2008
File Name Aliases
SYST.EXE can also use the following file names:
- 62066159.DAT
- 13482409.DAT
- SYSXLLY.EXE
- WIND32.EXE
- WIN32[1].EXE
- 23570861.EXE
- 89535111.EXE
- 01C9FA9648636362_SYST_EXE.PE
- 0XF9.EXE
- 01C9FA9647A244E8_ASASA_EXE.PE
- 01C9FA96471F2392_0XF9_EXE.PE
- HYEQQNY.EXE
- ASASA.EXE
- 26426778.SVD
- 49266437.SVD
- 25960021.EXE
- 35875769.SVD
- 97179708.EXE
- 78573796.DAT
- 30821554.DAT
- DECRYPTED.EXE
- 56652289.EXE
- SPYNET01.EXE
Filesizes
The following file size has been seen:
- 29,136 bytes
- 124,928 bytes
- 33,792 bytes
- 180,224 bytes
- 18,432 bytes
- 8,355 bytes
- 20,480 bytes
- 89,600 bytes
Vendor, Product and Version Information
Files with the name SYST.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- aaaa; aaaaaa; 1.00
- ; ; 1.00
File Type
The filename SYST.EXE refers to many versions of an executable program.
File Activity
One or more files with the name SYST.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\system32\syst\
- Copies filec:\8539588.exe to c:\windows\system32\syst\syst.exe
- Creates c:\windows\system32\syst\logs.dat
Registry Activity
One or more files with the name SYST.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\net01 FileNameAtual [REG_EXPAND_SZ, value: C:\8539588.exe]
- HKEY_CURRENT_USER\Software\net01 FirstExecution [REG_EXPAND_SZ, value: 25/05/2009 -- 01:07]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syst [REG_EXPAND_SZ, value: C:\WINDOWS\system32\syst\syst.exe]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run syst [REG_EXPAND_SZ, value: C:\WINDOWS\system32\syst\syst.exe]
- HKEY_CURRENT_USER\Software\net01 ByPersist [REG_EXPAND_SZ, value: C:\WINDOWS\system32\syst\syst.exe|syst|syst|]
- HKEY_CURRENT_USER\Software\net01 FileName [REG_EXPAND_SZ, value: Dlzcs1JtFiFdifAOxfQDRfRiNiFSreZzdqWQfjWeGF9k]
- HKEY_CURRENT_USER\Software\net01 HKLM [REG_EXPAND_SZ, value: zxnPXD]
- HKEY_CURRENT_USER\Software\net01 HKCU [REG_EXPAND_SZ, value: zxnPXD
Network Activity
One or more files with the name SYST.EXE performs the following network events:
- DNS Lookup94.183.195.126 dynhack01.dyndns.org
- DNS Lookup œ
Website Activity
One or more files with the name SYST.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:94.183.195.126:9100 Port:14
- TCP:94.183.195.126:9100 Port:15