Virus Management: Overview of the Malicious Software Removal Tool

Published: February 8, 2005

On January 11, Microsoft made available the Malicious Software Removal Tool, a free tool designed to check for and help remove infections by critical viruses and worms. In its initial release, the tool checks for the existence of malicious software (malware) on computers running the Windows 2000, Windows XP, or Windows Server 2003 operating systems. The tool will be updated on the second Tuesday of each month to coincide with the release of Microsoft security bulletins, and will scan for malware components that are currently active in your computer's memory. The tool does not perform an exhaustive scan of your hard drive like the McAfee Stinger utility, nor is it intended to be a replacement for your antivirus solutions. Because the Malicious Software Removal Tool does not prevent infections from current or future viruses, it’s a good idea to use it in conjunction with your antivirus software and patch management processes to provide a resilient, functional solution.

Why is such a tool needed? In the past, Microsoft released removal tools specifically to address a particular virus or worm. If you were concerned that your computer was infected with multiple viruses (for example, Blaster and Download.Ject), you would have to run the removal tool for each respective virus. The Malicious Software Removal Tool allows you to scan your computer for eight viruses (Berbew, Blaster, DoomJuice, Gaobot, Mydoom, Nachi, Sasser, and Zindos) simultaneously, saving you valuable time. Virus candidates for future inclusion will be those that carry at least a moderate rating.

Microsoft provides several options to run the Malicious Software Removal Tool. Whichever you choose, you must be a logged on to your computer with an account that is a member of the local Administrators group. Your options for obtaining and running the tool include:

  • An ActiveX control located directly on the Malicious Software Removal Tool Web site.

  • A download through the Microsoft Download Center. You can then manually run the tool locally on each computer, or you can use Systems Management Server or Group Policy scripts to deploy to multiple computers as discussed in KB 891716.

  • A critical update through Windows Update and through Automatic Updates for those customers who have Automatic Updates enabled, although this option is available only if your computer is running Windows XP.

Running the tool directly from the Web site or manually on your computer first requires accepting the Microsoft Software License Terms. The tool then checks for any strains of the malicious software noted above and summarizes what was found. For example, the result is either no malicious software detected or malicious software detected and removed.

When you use the tool through Windows Update, the scan is executed silently. You are not required to take any action for the tool to begin the detection process. When the process is finished, the tool creates a log file called MRT.log, which is contained in the %windir%\Debug folder. The log file details when the scan began, the results, and when it finished. You may need to reboot your computer after running the tool.

Whether you work in the SMB market with only a few desktops and servers or a larger enterprise market with thousands of desktops and servers, consider adding the Malicious Software Removal Tool into your antivirus and patch management processes. The Malicious Software Removal Tool is a great addition to the Microsoft Protect Your PC and Defense-in-Depth strategies. For further details about the tool, read KB 890830.

Jason Ballard, an ISA Server MVP, has been in the IT industry since 1997, where he has worked with various Microsoft products. He is employed by Toyota Motor Manufacturing North America and currently is an IT Specialist. Jason wrote an ISA Server 2000 training course for Element K, and he cowrote the Microsoft Press title ISA Server 2000 Administrator's Pocket Consultant. He also co-chairs the Microsoft User Group for the Lexington, Kentucky, area.

See other Security MVP Article of the Month columns.