Full Disclosure mailing list archives
denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "lsi" <stuart () cyberdelix net>
Date: Sun, 23 May 2010 17:16:29 +0100
denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool platforms affected: Windows distribution: wide severity: high Description of the vulnerability: The Microsoft Malicious Software Removal Tool (MRT) is a program used to remove malware from infected Windows systems. However, MRT does not always correctly repair the system. In at least one case, the changes made by MRT can render the system unbootable (log below). Repair can be time-consuming and expensive, particularly as the error messages and log files of the software concerned are cryptic and uninformative, or non-existent. As MRT runs automatically in the background once a month, these changes to the system may be made without the knowledge of an Administrator (or even the user). Suspected cause: Missing logic in MRT to repair the system, rather than just deleting stuff willy-nilly. Recommendations: 1. Do not run MRT manually. 2. Disable MRT if possible, especially on mission-critical machines. 3. Do not use Windows. Details of notification to vendor: None. Sample of the fault: Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started On Tue May 18 21:24:47 2010 Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX: ---------------- Threat detected: VirTool:WinNT/Cutwail.L driver://NDIS file://C:\WINDOWS\system32\drivers\NDIS.sys SigSeq: 0x00008A78910FD971 SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS service://NDIS Quick Scan Removal Results ---------------- Start 'remove' for regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS Operation succeeded ! Start 'remove' for service://NDIS Operation was scheduled to be completed after next reboot. Start 'remove' for safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS Operation succeeded ! Start 'remove' for driver://NDIS Operation was scheduled to be completed after next reboot. Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys Operation succeeded ! Results Summary: ---------------- For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted. Microsoft Windows Malicious Software Removal Tool Finished On Tue May 18 21:31:29 2010 Return code: 10 (0xa) --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool webDEViL (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer Of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Christian Sciberras (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Larry Seltzer (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Christian Sciberras (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)