Microsoft says malware causing blue screen crashes

stephens316stephens316 Member Posts: 203 ■■■■□□□□□□
A hard-to-detect rootkit may be causing Windows XP systems to crash following Microsoft's latest security updates. Windows users began flooding Windows support forums this week, saying that their computers had been rendered unusable with a blue-screen-of-death (BSOD) error after installing Microsoft's February security updates, released Tuesday. On Thursday, Microsoft stopped shipping the MS10-015 update, which had been linked to the issue, and said it was investigating.

On Friday, Microsoft offered a preliminary conclusion, saying that malicious software may be to blame. "Malware on the system can cause the behavior," wrote Microsoft spokesman Jerry Bryant on a company blog. "We are not yet ruling out other potential causes at this time and are still investigating." He later said in a Twitter message, "we have confirmed cases where removing malware allows the system to boot."

Windows XP user Patrick Barnes said he'd traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems. In a post to the Internet Storm Center, Barnes said that he'd identified a nonworking file on his system called atapi.sys. When he submitted the file for analysis it turned out to be the TDSS rootkit.

It may not be the only cause of the problem, however. "From the reports I have been receiving, the infected atapi.sys is the most common cause of this blue screen," Barnes wrote in his post. "However, any driver that references the updated kernel bits incorrectly can also cause this blue screen."

Barnes posted repair instructions to his blog Friday, but the site was unavailable Friday morning Pacific Time. Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection, however.

Users must first remove the rootkit from their hard drive before they can repair the issue or apply the security update, Barnes wrote in the Internet Storm Center post. People who have experienced the BSOD should remove their hard drive and then scan it for infections using another PC to make sure they catch it. "If atapi.sys is removed, you will need to replace it from installation media or from another Windows system of the same version," Barnes wrote. "Restore your hard drive and attempt to boot again. If it still does not boot, you may try a repair installation of Windows. If that still does not work, you may need to reload your computer."

Because TDSS uses crafty techniques to hide itself on the operating system, many antivirus programs have a hard time detecting it, said Roel Schouwenberg, a Kaspersky antivirus researcher. "The more I look into it, the more plausible it becomes that this is indeed the (main) issue behind the BSOD. MS10-015 is a kernel update with atapi.sys containing the extremely advanced TDSS kernel rootkit," he said via instant message. "Microsoft pulling the patch obviously says something about how widespread this thing is."

Barnes' repair instructions "make sense," Schouwenberg said. "Given the nature of the BSOD I doubt there's an easier way."

Microsoft has said that the issue affects a "limited number" of customers.

News source: Info World
______________
Current Studying : GPEN |GCNF|CISSP??
Current Reading : CISSP| CounterHack|Gray Hat Hacking
Completed 2019 : GCIH
Free Reading : History Books

Comments

  • KaminskyKaminsky Member Posts: 1,235
    Nice one Steve.

    This is probably what killed my Vista Friday after I updated Thursday night.

    Still, didn't lose much and rebuilt PC is so fast now :)

    Thanks
    Kam.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    Kaminsky wrote: »
    Nice one Steve.

    This is probably what killed my Vista Friday after I updated Thursday night.

    Still, didn't lose much and rebuilt PC is so fast now :)

    Thanks

    The article said it was only Windows XP.
  • KaminskyKaminsky Member Posts: 1,235
    Hyper-Me wrote: »
    The article said it was only Windows XP.

    I know... I'm still blaming it for my Vista crash though :)
    Kam.
  • Agent6376Agent6376 Member Posts: 201
    I've seen this a lot in my line of work in the past two weeks. The BSOD is 0x7E. If your machine has an i386 folder, boot into the recovery console and expand your copy of atapi.sy_ and replace your current atapi.sys in system32\drivers. This and the H8SRT crap has been affecting most of our clients in New Orleans heavily.

    Oh, and it can happen to Vista as well, but the files affected would not be atapi.sys. There are a few other storage drivers that can be affected. Running sigverify will help you determine whether your copies are infected.
Sign In or Register to comment.