Tuesday, August 05, 2008


The SANS Internet Storm Center had an interesting post the other day about the MS Malicious Software Removal Tool (aka, MRT). What I took away from the post is that KB 891716 says that whenever MRT is run, the "Version" value is updated with a new GUID. This information can be compared to the list of GUIDs from that same KB article, and correlated against the MRT.log file itself. KB 890830 contains a list of malicious software that MRT is intended to protect against.

From a forensic analysis perspective, this provides some good information with respect to malware that may or may not be on the system.

I put together a quick RegRipper plugin to address this key, and when run via rip.exe, the output looks as follows:

C:\Perl\forensics\rr>rip -r d:\cases\lenovo\software -p mrt

Launching MRT v.20080804

Key Path: Microsoft\RemovalTools\MRT

LastWrite Time Wed Jan 9 22:28:00 2008 (UTC)

Version: 330FCFD4-F1AA-41D3-B2DC-127E699EEF7D

Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT
was last run. According to the KB article, each time MRT is run, a new GUID is written to the Version value.

If you check KB 891716 for the above listed GUID, you'll see that it corresponds to Jan 2008, which correlates to the LastWrite time for the key itself. By checking the chart in the KB, you can see the malware that the system is supposed to be protected against.

Notice I've added an "Analysis Tip" to this plugin. I've also included some additional information in the header to the plugin itself, which is simply a text-based file that can be opened in any editor...much like Nessus plugins.