Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can one depend on Malicious Software Removal Tool


  • Please log in to reply
4 replies to this topic

#1 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,165 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:12:35 PM

Posted 18 June 2011 - 11:33 PM

Hi,
A person I know, had Zlob infection. So I advised him to use Malwarebytes Antimalware. But someone said about Microsoft Malicious Software Removal tool.
The guy with infected PC used Microsoft's tool and it worked. Later I found out more about this tool that it can remove infections like Virut too.

My question is : can one depend on Microsoft's tool to remove such infections like Zlob and Virut? Or it works only in a few cases ?

Thank you :)

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 1,365 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 19 June 2011 - 04:27 AM

Per MSRT description page

The Microsoft Windows Malicious Software Removal Tool removes specific, prevalent malicious software families from computers running compatible versions of Windows.


You can find the list of cleaned families here:
https://www.microsoft.com/security/pc-security/malware-families.aspx
Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com
Microsoft MVP 2011-2014 Consumer Security
Posted Image

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 PM

Posted 19 June 2011 - 08:36 AM

Detections for Virut were first added to the MSRT in August 2007.

Microsoft Security Intelligence Report

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

May MSRT by the numbers

However, I do not know of any security vendor who will guarantee complete removal of file infectors since there is no guarantee that some files will not get corrupted during the disinfection process. This means that infected executables and system files can become unusable after attempting to repair them and afterward, there is still no guarantee the virus is really gone. Since many of the affected files are legitimate critical files required by the operating system, deletion is not a viable option. Even many anti-virus vendors admit that some malicious programs like file infectors cannot be properly disinfected by their products.

...it is quite interesting to look at modern day polymorphic viruses and whether their propensity to junk files is wholly by accident or whether there is the occassional element of intent involved...a mass infection that leaves behind a large number of irreparably corrupt files can still be very damaging. Some members of the Virut/Vetor family will randomly choose not to leave an infection marker after infection. This leaves the way open to multiple infections (more headaches for anti virus companies) but also increases the chances that the end file will be corrupt...

Sophos: To Junk Or Not To Junk

...In many cases, files cannot simply be deleted as this would affect the stability or even basic functionality of the operating system and other software. Instead, the infected host program must be disinfected by removing the virus code from it and by carefully restoring the original contents and file structure if possible. This means detection and removal are still an issue for antivirus software....

Avira: Cleaning polymorphic infected files

...for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them...

avast: a file infector and why we cannot give false hope!

...it injects its code into running processes...The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files...unfortunately, some infections are corrupted beyond repair.

McAfee: polymorphic infector

The suggestions in this article are not intended to 100% guarantee removal of all threats...The file infector employs a technique to make sure its corrupted .DLL format will replace the targeted extensions found within the system. When the computer is rebooted it incidentally boots the infected file and continues its advancement throughout the system...

Norton (Symantec): File infector

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files...it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. Undetected, corrupted files (possibly still containing part of the viral code) can also be found. This is caused by incorrectly written and non-function viral code present in these files.

AVG: polymorphic infector

...you can try via rescue cd, or slave mounted hard drive. but there's no guarantee that some files won't get corrupted through the disinfection process.

Kaspersky: file infector

There are no guarantees when it comes to malware removal and dealing with file infectors as severity of damage will vary. In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware continues to reinfect thousands of files. Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours (and days) attempting to repair and remove the infected files.

That's why most security experts say the best course of action is to wipe the drive clean, reformat and reinstall the OS.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

miekiemoes' Blog: Virut and other File infectors - Throwing in the Towel?
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 Romeo29

Romeo29

    Learning To Bleep

  • Topic Starter

  • BC Advisor
  • 3,165 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:12:35 PM

Posted 19 June 2011 - 09:03 PM

Thank you quietman7 and Didier. As always, very detailed and satisfying replies :) Thank you again :)

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 PM

Posted 20 June 2011 - 06:28 AM

:thumbup2:
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users