mrtstub.exe?????

Discussion in 'malware problems & news' started by CJsDad, Aug 21, 2006.

Thread Status:
Not open for further replies.
  1. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    I've tried looking it up (google.com) and now I'm even more confused.

    Is this malware or not??

    From what I've read Its 50/50, half the websites I have read say to remove it because it is malware but then the other half say its part of Microsoft Windows Malicious Software Removal Tool.

    So which is it?

    I've ran all of my security scans (AV, AS, AT) and nothing shows up on any of them so I really dont know what to do.
     
  2. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
  3. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    I saw that website, that was one of them that came up in the google search.
    Kind of confusing though and I still dont know if I should leave the file or remove it.
     
  4. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    If you're using M$'s Malicious Software Removal Tool, you'll probably need to keep it.
    Per Microsoft:
    "mrtstub is part of the Malicious Software Removal Tool. It is responsible
    for copying mrt.exe to the correct location and launching it."

    Those sites you visited that caused alarm with results like:
    Oh my gosh!
    Now that they've your attention, their advice is:
    suggest "their" spyware removal software (for a fee, of course).
    To alleviate any trepidation, I'd do a search at Symantec, Kaspersky and see if anything related to mrtstub comes up.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    What location is the file found in ?

    If you right click the file and check it's properties it should give info that should help you decide whether it's a legit MS file or not.
     

    Attached Files:

  6. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Glad this has been cleared up, it is for MS Malicious Software Removal Tool.
    Thanks to Bob D and Bubba for the help.
     
  7. merkwurdigliebe

    merkwurdigliebe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    1
    This program is supposed to be a binary patcher for MRT.EXE, the Mailicious Software Removal Tool. It is apparently a genuine MS binary, but it is apparently being used by a rootkit to do evil things.

    I found a copy of it loaded in memory from a file in a temp directory. The file was a duplicate of mrtstub.exe but it was named ~WRS001.TMP and it was well hidden from the usual process and file tools from Sysinternals. It was launched by an unknown process and logged itself as a Windows Update task - patching MRT.exe. Unfortunately, I had never installed that software on this machine as I found it to cause more problems than it solved on others.

    Several hours after the fake WU job completed, I found the same PID still up and running as a service, attached to the NTP port, and opening tens of thousands of files on my system disk.

    MRTSTUB.EXE is not supposed to do anything but patch MRT.EXE. However, by hooking the function calls in its process space to tell the utility that the file it has open is MRT.EXE and that the file it is downloading for the patch is coming from MS, it is possible for someone to patch any file that process has access to, and since the utility is digitally signed by MS, the system trusts it and lets it proceed.

    So, MRTSTUB.EXE is a genuine MS file, but it has enormous potential as a blackhat's dream tool - a general purpose binary patch tool signed by MS and trusted by the system.

    I have confirmed that this is loose in the wild, and no one is apparently doing a thing about it. I informed MS of this several weeks ago.
     
Thread Status:
Not open for further replies.