lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 17:16:29 +0100
From: "lsi" <>
Subject: denial-of-service vulnerability in the Microsoft
	Malicious Software Removal Tool

denial-of-service vulnerability in the Microsoft Malicious Software 
Removal Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used 
to remove malware from infected Windows systems.  However, MRT does 
not always correctly repair the system.  In at least one case, the 
changes made by MRT can render the system unbootable (log below).  
Repair can be time-consuming and expensive, particularly as the error 
messages and log files of the software concerned are cryptic and 
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these 
changes to the system may be made without the knowledge of an 
Administrator (or even the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting 
stuff willy-nilly.


1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:


Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 21:24:47 2010

Threat detected: VirTool:WinNT/Cutwail.L
        SigSeq: 0x00008A78910FD971
        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A

Quick Scan Removal Results
Start 'remove' for 
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for 
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !

Results Summary:
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be 
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 
18 21:31:29 2010

Return code: 10 (0xa)

Stuart Udall
stuart net -

 * Origin: lsi: revolution through evolution (192:168/0.2)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists