Microsoft Windows Malicous Software Removal Tool

From: JOE DANCE (DANCEJOE_at_MOORE.SC.EDU)
Date: 02/07/05

  • Next message: mikx: "Firedragging [Firefox 1.0]" 
    Date:         Mon, 7 Feb 2005 09:48:46 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    During the month of January 2005, Microsoft apparently released something called the "Microsoft Windows Malicous Software Removal Tool", not to be confused with the beta version of Microsoft Antispyware. I don't recall seeing any discussion or articles on this software.

    This application was announced by KB890830. According to the info in KB890830, the tool can be installed through Windows Updates or Automatic Updates, or GPO or SMS. Alternatively, it can also be run online, or downloaded and run from the command line or script. A link to the download page can be found in the KB article.

    There is also a website dedicated to the product, and updates are supposed to be released on the second Tuesday of each month, probably along with other updates. The current version works only with Windows XP.

    So far, I have noticed four issues of concern:
    1. No such updates have been mentioned in this month's (Feb)advance notice of updates, nor was the tool's release included in the Jan 2005 summary of security bulletins.

    2. KB890830 does NOT describe how to run it from the command line. The result of installing it from WU, is that we now have a utility installed that we cannot run. We may be able to figure it out, but it would have been so much easier if MS had included the executable filename in the KB article.

    3. The download page ( http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en )does not inlcude the download button, so the tool cannot be downloaded and saved to disk.

    4. The tool did NOT download to our SUS server with other updates, and install automatically on our client workstations. Arguably, any updates that work through AU should have downloaded for distribution via SUS. However, we only discovered it by going to Windows Updates.

    We have not, so far, tried running it from the website.

    I thought I would share this information, and hope that someone could point me in the right direction if I happen to have overlooked anything, or to be otherwise in error. However, the situation currently appears to be as described above.

    Joe Dance
    University of South Carolina

    ________________________________________________________________
    Sent via the WebMail system at darla.moore.sc.edu 

    ---
[This E-mail scanned for viruses by Declude Virus]
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: mikx: "Firedragging [Firefox 1.0]"