Monday, March 8, 2010

Is Microsoft MS10-015 Detection Tool Mpsyschk.exe Effective?

Has anyone seen Microsoft MS10-015 mpsyschk.exe tool ( find a copy of Alureon/Tidserv? If so, please ping me at david @ I ran mpsyschk across a large population of machines last week and found nothing. Based on what I had observed in AV reporting, I had at least expected a couple hits.

I took a look at the pass/fail logic in mpsyscheck.exe. The pseudocode for the function that makes the PASS or FAIL decision is below. It looks like the decision point is whether or not two 4 byte values at offsets 0x7FFE0308 and 0x7FFE030C in the in-memory copy of process mpsyscheck.exe can be read successfully or not. I do not know enough about this problem to say whether this is enough detection or not. If mpsyschk.exe thinks the machine is infected, it also appears to write a "Timestamp" value under HKLM\Software\Microsoft\MPSystemStateCheck.

email: david @

No comments:

Post a Comment