denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool

["lsi" <stuart () cyberdelix net>]

denial-of-service vulnerability in the Microsoft Malicious Software 
Removal Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used 
to remove malware from infected Windows systems.  However, MRT does 
not always correctly repair the system.  In at least one case, the 
changes made by MRT can render the system unbootable (log below).  
Repair can be time-consuming and expensive, particularly as the error 
messages and log files of the software concerned are cryptic and 
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these 
changes to the system may be made without the knowledge of an 
Administrator (or even the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting 
stuff willy-nilly.

Recommendations:

1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:

None.

Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 21:24:47 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
    driver://NDIS
    file://C:\WINDOWS\system32\drivers\NDIS.sys
        SigSeq: 0x00008A78910FD971
        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
    
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
    
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
    service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for 
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for 
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !


Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be 
restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 
18 21:31:29 2010


Return code: 10 (0xa)


---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/