Is Microsoft MS10-015 Detection Tool Mpsyschk.exe Effective?
Has anyone seen Microsoft MS10-015 mpsyschk.exe tool (http://support.microsoft.com/kb/980966) find a copy of Alureon/Tidserv? If so, please ping me at david @ sharpesecurity.com. I ran mpsyschk across a large population of machines last week and found nothing. Based on what I had observed in AV reporting, I had at least expected a couple hits.
I took a look at the pass/fail logic in mpsyscheck.exe. The pseudocode for the function that makes the PASS or FAIL decision is below. It looks like the decision point is whether or not two 4 byte values at offsets 0x7FFE0308 and 0x7FFE030C in the in-memory copy of process mpsyscheck.exe can be read successfully or not. I do not know enough about this problem to say whether this is enough detection or not. If mpsyschk.exe thinks the machine is infected, it also appears to write a “Timestamp” value under HKLM\Software\Microsoft\MPSystemStateCheck.