Prevx Research Division
SYST.EXE
Cloaked MalwareYour PC may be infected. The presence of a file called SYST.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx will scan your PC in less than two minutes and check for millions of spyware and malware infections including SYST.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Worm
- Malware Downloader
File Behavior
SYST.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This process creates other processes on disk
- Injects code into other processes
- Can communicate with other computer systems using HTTP protocols
- Disables safe mode on your PC
- Reads email address and phone book details
- Includes file creation code which could be used to test for interception by security products
- Visits web sites on your PC without you knowing
SYST.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Deleted as a process from disk
Country Of Origin
The filename SYST.EXE was first seen on May 18 2007 in the following geographical regions of the Prevx community:
- The United States on May 18 2007
- Bulgaria on May 18 2007
- Spain on Feb 19 2008
- Europe on Feb 19 2008
- The United Kingdom on Jan 24 2009
- Brazil on Feb 25 2010
- Mexico on Jan 1 2011
- Peru on Jan 1 2011
- South Africa on Jan 5 2012
File Name Aliases
SYST.EXE can also use the following file names:
- SYST.TXT
- ERASEME_25341.EXE
- TANGA.EXE
- N-ABRIZIO[1].EXE
- ERASEME_62338.EXE
- ERASEME_43482.EXE
- ERASEME_37642.EXE
- ERASEME_04524.EXE
- ERASEME_24714.EXE
- ERASEME_54636.EXE
- ERASEME_48083.EXE
- ERASEME_11871.EXE
- ERASEME_73601.EXE
- ERASEME_46005.EXE
- ERASEME_11513.EXE
- ERASEME_48653.EXE
- ERASEME_06366.EXE
- SYSXLLY.EXE
- WIND32.EXE
- WIN32[1].EXE
- ASASA.EXE
- 8.IMA
- 36974843_SPY.EXE
- 0XF9.EXE
- 62066159.DAT
- 13482409.DAT
Filesizes
The following file size has been seen:
- 29,136 bytes
- 57,856 bytes
- 180,224 bytes
- 360,448 bytes
- 902,144 bytes
- 110,592 bytes
- 20,480 bytes
- 319,488 bytes
Vendor, Product and Version Information
Files with the name SYST.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- -; ; 1.00
- ; ; 1.00
- Misys International Banking Systems; ; 6.01.0012
- Microsoft Corporation; Windows Live Messenger; 9.0.0.0
- Microsoft Corporation; Windows Live Messenger; 1.0.0.0
- PROPERTIES; ; 4.07.0009
- aaaa; aaaaaa; 1.00
- S3kKjQOK8r; ; 13.23.0007
File Type
The filename SYST.EXE refers to many versions of an executable program.
File Activity
One or more files with the name SYST.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\Program Files\Microsoft Security Adviser
- Creates c:\program files\microsoft security adviser\mssadv.exe
- Creates c:\program files\microsoft security adviser\mssadv.log
- Creates c:\program files\microsoft security adviser\msctrl.exe
- Creates c:\program files\microsoft security adviser\msctrl.log
- Creates c:\program files\microsoft security adviser\msavsc.exe
- Creates c:\program files\microsoft security adviser\msscan.exe
- Creates c:\program files\microsoft security adviser\msiemon.exe
- Creates c:\program files\microsoft security adviser\msfw.exe
- Deletes c:\docume~1\user\locals~1\temp\TMP4352$.TMP
- Creates c:\docume~1\user\locals~1\temp\TMP4352$.TMP
- Creates c:\docume~1\user\locals~1\temp\RGI24.tmp
- Deletes c:\docume~1\user\locals~1\temp\RGI24.tmp
- Creates c:\docume~1\user\locals~1\temp\9ce5_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\1947A.dmp
- Creates c:\docume~1\user\locals~1\temp\RGI4C.tmp
- Deletes c:\docume~1\user\locals~1\temp\RGI4C.tmp
Registry Activity
One or more files with the name SYST.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept-encode:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Display Inline Images no
Website Activity
One or more files with the name SYST.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Remote server connection to 195 .42 .103 .6
- TCP:127.0.0.1:1065 Port:16
- Port 80 IP:94.247.2.122
- Port 80 IP:195.42.103.65