A hard-to-detect rootkit may be causing Windows XP systems to crash following Microsoft’s latest security updates.
Windows users began flooding Windows support forums this week, saying that their computers had been rendered unusable with a blue-screen-of-death (BSOD) error after installing Microsoft’s February security updates, released Tuesday. On Thursday, Microsoft stopped shipping the MS10-015 update, which had been linked to the issue, and said it was investigating.
On Friday, Microsoft offered a preliminary conclusion, saying that malicious software may be to blame. “Malware on the system can cause the behavior,” wrote Microsoft spokesman Jerry Bryant on a company blog. “We are not yet ruling out other potential causes at this time and are still investigating.”
“We have confirmed cases where removing malware allows the system to boot,” Bryant said in a Twitter message.
Windows XP user Patrick Barnes said he’d traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems.
In a post to the Internet Storm Center, Barnes said that he’d identified a nonworking file on his system called atapi.sys. When he submitted the file for analysis it turned out to be the TDSS rootkit.
It may not be the only cause of the problem, however.
“From the reports I have been receiving, the infected atapi.sys is the most common cause of this blue screen,” Barnes wrote in his post. “However, any driver that references the updated kernel bits incorrectly can also cause this blue screen.”
Barnes posted repair instructions to his blog Friday, but the site was unavailable Friday morning Pacific Time. Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection, however.
Users must first remove the rootkit from their hard drive before they can repair the issue or apply the security update, Barnes wrote in the Internet Storm Center post. People who have experienced the BSOD should remove their hard drive and then scan it for infections using another PC to make sure they catch it. “If atapi.sys is removed, you will need to replace it from installation media or from another Windows system of the same version,” Barnes wrote. “Restore your hard drive and attempt to boot again. If it still does not boot, you may try a repair installation of Windows. If that still does not work, you may need to reload your computer.”
Because TDSS uses crafty techniques to hide itself on the operating system, many antivirus programs have a hard time detecting it, said Roel Schouwenberg, a Kaspersky antivirus researcher. “The more I look into it, the more plausible it becomes that this is indeed the (main) issue behind the BSOD. MS10-015 is a kernel update with atapi.sys containing the extremely advanced TDSS kernel rootkit,” he said via instant message. “Microsoft pulling the patch obviously says something about how widespread this thing is.”
Barnes’ repair instructions “make sense,” Schouwenberg said. “Given the nature of the BSOD I doubt there’s an easier way.”
Microsoft has said that the issue affects a “limited number” of customers.