Results 1 to 9 of 9

Thread: ntsysmgr.exe?

  1. #1
    Junior Member
    Join Date
    Aug 2004




    I have encountered a virus/worm/trojan named ntsysmgr.exe. This v/w/t self replicates at startup, disables regedit, safemode, cmd, config, anti-virus, auto-downloads. Resets the admin user and pass for local. Tries to connect to network through port 345. I have it isolated on a subnet of six comps (xp and 2000).

    The anti-virus software used is sophos 3.84 and it will not detect this thing.

    Has anybody encountered this before? If so do you know what virus this is and how to remove it.


    I am writing a server side batch file to locate and disable the network connection if file is found. Anyone knows a very safe way of disconnecting a comp from a network through a batch file. (ipconfig /release) Will it work.


    Would you like me to upload the file so you can take a look?

  2. #2
    Join Date
    Aug 2004
    Google doesnt fin anything on it ? Are you sure its called that ? Maybe its a new virus, report it to an Online AV company....

  3. #3
    Senior Member
    Join Date
    Aug 2003
    From your desrcription, it sounds like a little more than just a little virus. I have yet to run across anything of that nature that changes passwords. Where is this file residing?

    What are you using to see the file? Is it running as a service? Have you checked the file properties?

    Then I would also have to ask, if it disables your AV, then I would suppose that your AV wouldn't detect it??

    You can't boot into safe mode?? I think you have a bunch of things going on...


  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Would you like me to upload the file so you can take a look?
    Yes please as A ZIP or RAR if you could..

    and have you submitted this file to Sophos? you never know your luck

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Yes, definitely submit it. It sounds like one heck of a virus that I don't want to cross my path...

  6. #6
    Junior Member
    Join Date
    Aug 2004

    Where is this file residing?

    What are you using to see the file?
    Explorer and powerdesk.

    Is it running as a service?

    You can't boot into safe mode??
    When I try to boot into safe mode, it will automaticaly reboot after 5 secs.


    I will zip the file and upload when i get to work

    It just appeared 2 days ago. I have been chasing it down and isolating it. I have not had the time to submit to Sophos. Now I have time since its isolated. It has been driving me crazy

  7. #7
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    maybe a vatient of SDBOT ? ( AKA W32.HLLW.Gaobot ) ??

    See Trend Micro
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Yes, as IKnowNot has said, that is most likely what it is. The same thing happened to a user at my facility. The only difference is that it used 445 to replicate via windows shares. Check that port number and verify if it really is 345.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Junior Member
    Join Date
    Aug 2004

    Thank you, that looks like it. Now I have to wait until sophos updates.

    from trend micro
    Discovered: Aug. 18, 2004
    I am still going to capture it and upload.


    The port that it is going after is 345. I will check the logs again but I doubt the port changed..

    Thank you all for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts