Menu
Microsoft says malware causing blue screen crashes

Microsoft says malware causing blue screen crashes

A sneaky rootkit is blamed for a problem that has sidelined some XP users following patches

A hard-to-detect rootkit may be causing Windows XP systems to crash following Microsoft's latest security updates.

Windows users began flooding Windows support forums this week, saying that their computers had been rendered unusable with a blue-screen-of-death (BSOD) error after installing Microsoft's February security updates, released Tuesday. On Thursday, Microsoft stopped shipping the MS10-015 update, which had been linked to the issue, and said it was investigating.

On Friday, Microsoft offered a preliminary conclusion, saying that malicious software may be to blame. "Malware on the system can cause the behavior," wrote Microsoft spokesman Jerry Bryant on a company blog. "We are not yet ruling out other potential causes at this time and are still investigating."

"We have confirmed cases where removing malware allows the system to boot," Bryant said in a Twitter message.

Windows XP user Patrick Barnes said he'd traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems.

In a post to the Internet Storm Center, Barnes said that he'd identified a nonworking file on his system called atapi.sys. When he submitted the file for analysis it turned out to be the TDSS rootkit.

It may not be the only cause of the problem, however.

"From the reports I have been receiving, the infected atapi.sys is the most common cause of this blue screen," Barnes wrote in his post. "However, any driver that references the updated kernel bits incorrectly can also cause this blue screen."

Barnes posted repair instructions to his blog Friday, but the site was unavailable Friday morning Pacific Time. Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection, however.

Users must first remove the rootkit from their hard drive before they can repair the issue or apply the security update, Barnes wrote in the Internet Storm Center post. People who have experienced the BSOD should remove their hard drive and then scan it for infections using another PC to make sure they catch it. "If atapi.sys is removed, you will need to replace it from installation media or from another Windows system of the same version," Barnes wrote. "Restore your hard drive and attempt to boot again. If it still does not boot, you may try a repair installation of Windows. If that still does not work, you may need to reload your computer."

Because TDSS uses crafty techniques to hide itself on the operating system, many antivirus programs have a hard time detecting it, said Roel Schouwenberg, a Kaspersky antivirus researcher. "The more I look into it, the more plausible it becomes that this is indeed the (main) issue behind the BSOD. MS10-015 is a kernel update with atapi.sys containing the extremely advanced TDSS kernel rootkit," he said via instant message. "Microsoft pulling the patch obviously says something about how widespread this thing is."

Barnes' repair instructions "make sense," Schouwenberg said. "Given the nature of the BSOD I doubt there's an easier way."

Microsoft has said that the issue affects a "limited number" of customers.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftwindows xpblue screen

Featured

Slideshows

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintained Showcase 2018 momentum in Wellington, hosting more than 40 vendors at TSB Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro maintains Showcase 2018 momentum in Wellington
Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments