Anyone notice this? A new MRT this month?

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
armond
Posts: 263
Joined: Tue Sep 13, 2005 11:43 am
Location: Glendale, CA USA

Anyone notice this? A new MRT this month?

Post by armond » Wed Apr 27, 2011 7:43 pm

Hi All,
Hope that you're doing well.
I just checked for update on my Windows Vista machine today and saw the Windows Malicious Software Removal Tool - April 2011 (KB890830) :? again. I installed the update anyway and then I decide to check the Digital Signature date of the "new" mrt.exe file in the System32 folder. The date is April 18! :?: :!:
Do you have any information about it?
P.S. The new GUID registry key vallue is:
1B3C6EA6-3472-407F-8E11-BFAF2BF30AAE
And the Version value is:
0CB525D5-8593-436C-9EB0-68C6D549994D
Just found it interested and want to share.
Thanks.

User avatar
ricktendo64
Posts: 3213
Joined: Mon May 22, 2006 12:27 am
Location: Honduras

Post by ricktendo64 » Wed Apr 27, 2011 7:48 pm

Old MRT version 3.18.4803.0
New MRT version 3.18.4804.0

armond
Posts: 263
Joined: Tue Sep 13, 2005 11:43 am
Location: Glendale, CA USA

Post by armond » Wed Apr 27, 2011 9:33 pm

From this web page:
http://www.microsoft.com/security/scann ... fault.aspx
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.
The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.
Looks like they want to do the same thing with MRT...
What do you think?

User avatar
5eraph
Site Admin
Posts: 4621
Joined: Tue Jul 05, 2005 9:38 pm
Location: Riverview, MI USA

Post by 5eraph » Wed Apr 27, 2011 9:48 pm

The Version registry value does not change for XPx64, but MRT.exe must now exist (and have the correct file version) in %SystemRoot%\system32 to prevent being offered the update. Looks like I'll be adding the stub user_hidden has included in his pack.
armond wrote:
Microsoft wrote:[...] Scanner expires 10 days after being downloaded. [...]
Looks like they want to do the same thing with MRT...
One instance does not indicate a trend. We'll see as time goes on. I suspect that they only improved detection or removal for this month's (v3.18) featured malware, Win32/Afcore, in the new MRT.exe file.
ricktendo64 wrote:Old MRT version 3.18.4803.0
New MRT version 3.18.4804.0

cybpsych
Posts: 421
Joined: Wed Jan 12, 2005 2:33 am

Post by cybpsych » Wed Apr 27, 2011 10:16 pm

A Second MSRT Release in April

http://blogs.technet.com/b/mmpc/archive ... april.aspx
In continuation of our support for the takedown activities on the Win32/Afcore botnet, we are releasing a second edition of MSRT in April. This edition includes variants of Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT. While MSRT has traditionally been released on the second Tuesday of the month alongside other security releases, we are not tied to this schedule. We can, and will, release MSRT as needed to support takedown activities or other times when the impact will be potentially significant. This additional release is on request and we welcome other requests in the future.

This release also includes some additional enhancements to the MSRT engine for other malware families, which have also been incorporated into definitions for Microsoft Security Essentials and the Forefront products since the last MSRT release.

- Jeff Williams, Principal Group Program Manager, MMPC

yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Post by yumeyao » Wed Apr 27, 2011 10:47 pm

5eraph wrote:The Version registry value does not change for XPx64, but MRT.exe must now exist (and have the correct file version) in %SystemRoot%\system32 to prevent being offered the update. Looks like I'll be adding the stub user_hidden has included in his pack.
Sounds like MU ONLY checks the version number of your MRT.exe this time.

Formerly one can make MU satisfy by providing either the registry key or MRT.exe with correct version, but if it's true the registry value stays unchanged, we can assert that MU now checks the version THIS TIME.


You can get the stub from my update pack, and edit it by tools like ResHacker to change the file version. It's only 2KB and I have been using it for a very long time.
Now each time I update the MRT in my update pack, I just download the latest KB890830.exe and open it with 7-zip to extract MRT.exe, then change file version of my stub to match the last MRT.exe. No needs to install this time-taker. :)
Image
My work list(Hosted by dumpydooby)

User avatar
5eraph
Site Admin
Posts: 4621
Joined: Tue Jul 05, 2005 9:38 pm
Location: Riverview, MI USA

Post by 5eraph » Thu Apr 28, 2011 3:03 am

The stub from your update pack doesn't work for me ("failed to initialize properly (0x00000018)"), but a much older version you posted (2KB version) does. :)

yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Post by yumeyao » Thu Apr 28, 2011 3:17 am

Maybe that's a protection by x64. :) The stub from my update pack has the PE Header modified

-- edit --
I'll consider set up a xp x64 VM once my new box is returned.
Image
My work list(Hosted by dumpydooby)

Post Reply