worm blog

Updated Microsoft Malicious Software Removal Tool (March, 2006)

Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:

• Win32/Atak
• W32/Torvil
• W32/Zlob

Source: Malicious Software Removal Tool, updated March 14, 2006.

March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)

Updated Microsoft Malware Removal Tool (Jan, 2006)

It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware:

• Parite
• Maslan
• Bofra

The full list of families detected and removed by the Windows Malware Removal Tool is listed on the website. The team responsible for the product are also blogging their work.

January 10, 2006 in Bagle, Blaster, detection, IM worms, microsoft, sasser, SQLSlammer, tools, Zotob | Permalink | Comments (4)

Updated Windows Defender Tool (Nov, 2005)

It's "patch Tuesday", the day when Microsoft releases their monthly patches (in this case, one fixup for November, 2005), and they also release updates to their malware removal tool. It now has a new name, too, Windows Defender, signifying it's larger purpose. The new families detected by this latest update to Windows Defender:

• Bugbear
• Codbot
• Mabutu
• Opaserv
• Swen

You can see the full list of families detected by the tool on the Microsoft website Families Cleaned by the Malicious Software Removal Tool. Remember, keep your AV policies current, always make sure you have the latest tool for the newest malware, and check on their sites for updates. You wont detect new threats with out of date tools.

Update: As noted in comments, the malicious software removal tool has not been renamed. I guess I'll still call it the MSRT in future posts.

November 8, 2005 in Bagle, Blaster, defense, malware , microsoft, SQLSlammer, tools, witty, Zotob | Permalink | Comments (2)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are:

• Antinny
• Gibe
• Mywife
• Wukill

As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Updated MS Malware Removal Tool (Sept. 2005)

Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:

• Zotob.A
• Zotob.B
• Zotob.C
• Zotob.D
• Zotob.E
• Bobax.O
• Esbot.A
• Rbot.MA
• Rbot.MB
• Rbot.MC

If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".

If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.

September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)

Updated Microsoft Malware Removal Tool (August, 2005)

This past "patch Tuesday" Microsoft released an updated malware removal tool. This month adds:

• Bagz
• Dumaru
• Spyboter

You can view the tool's details online or run it from their website for your Windows system on the Microsoft Malware Removal Tool Homepage. As always, this tool is not a replacement for AV scanners and is only a relatively fast acting tool for some popular malware. Not all variants are caught.

August 15, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools | Permalink | Comments (0)

Microsoft Malware Removal Tool Updates (July, 2005)

Microsoft has updated their Malware Removal Tool with new virus, worm and malware definitions for July, 2005. New this month are:

• Hacty
• Wootbot
• Optix
• Optixpro
• Purstiu

This tool has a decent list of popular malware families that it detects and removes, however it's no substitute for a full blown AV tool. It only looks for the common signs of these malware families. The tool is available for download now.

July 13, 2005 in Bagle, Blaster, microsoft, sasser, tools | Permalink | Comments (0)

Updated Microsoft Malware Removal Tool (June, 2005)

Microsoft has updated their malware removal tool. Yesterday was patch Tuesday at Microsoft, meaning updates to the tool were also included. This month the updates include:

• Spybot, the multi-headed family of worms that has thousands of variants by now
• Kelvir, an MSN Messenger worm
• Mytob, another mass mailer worm with various capabilities
• Lovgate, a mass mailer worm family.

You can go to the Microsoft malware removal tool website to do an Active-X based scan of your system or download the tool for installation on one or more systems. As we always say, the tool isn't a replacement for a more sophisticated detection tool like an AV system, it only looks for malware in the most common locations.

June 15, 2005 in Bagle, Blaster, mass mailers, microsoft, sasser, tools | Permalink | Comments (0)

Updated Microsoft Malware Removal Tool

Microsoft has updated their Malware Removal Tool for May, 2005. Here's the quick overview from the Microsoft download site for the tool:

The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

This tool is not a replacement for an anti-virus product. To help protect your computer, you should use an anti-virus product

There is one new threats listed on the Knowledge Base Article regarding the tool, and the updated download page says the following addition was made:

• SDBot

As always, a useful tool to keep in your arsenal to supplement spyware detection tools, AV updates, and the like.

May 10, 2005 in Bagle, Blaster, defense, microsoft, sasser, tools | Permalink | Comments (2)

In Depth Bagle Analysis

Jason Gordon, who runs the Infection Vectors website (a great complement to Wormblog, by the way), has written an in depth analysis of the Bagle worm. This is a good continuation of the writeup posted yesterday from Kaspersky Labs.

Beagle.A was discovered in late January 2004 and was an immediate success, spreading across the globe with a very simple infection strategy: just sending the worm as an attachment to a plain email message. Over the course of the spring, Beagle ran up over two dozen variants and thousands of compromised hosts.

Infectionvectors has published two in-depth reviews of Beagle and its development history, for details and commentary on the worm, see the first report, part two, and part three.

Beagle returned from a brief hiatus in early July 2004 with variants that attacked Internet hosts with a renewed ferocity. With even more success than previous versions, Beagle.X, AA, AB, and AO made special imprints on clients around the world, turning them into mail relaying robots.

Source: Beagle Alert, published on infectionvectors.com in March, 2005.

April 29, 2005 in Bagle, mass mailers, new trends, new worms, papers | Permalink | Comments (0)