NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2010-05

[Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool

From: lsi (stuartcyberdelix.net)
Date: Sun May 23 2010 - 11:16:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

denial-of-service vulnerability in the Microsoft Malicious Software
Removal Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used
to remove malware from infected Windows systems. However, MRT does
not always correctly repair the system. In at least one case, the
changes made by MRT can render the system unbootable (log below).
Repair can be time-consuming and expensive, particularly as the error
messages and log files of the software concerned are cryptic and
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these
changes to the system may be made without the knowledge of an
Administrator (or even the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting
stuff willy-nilly.

Recommendations:

1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:

None.

Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 21:24:47 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
    driver://NDIS
    file://C:\WINDOWS\system32\drivers\NDIS.sys
        SigSeq: 0x00008A78910FD971
        SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A

regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS

safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
    service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !

Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be
restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May
18 21:31:29 2010

Return code: 10 (0xa)

---
Stuart Udall
stuart atcyberdelix.dot net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]