MS10-015 & The Dreaded BSoD

It appears that a hard-to-detect rootkit may be responsible for Windows XP systems crashing with BSoD following application of the MS10-015 security update.  Microsoft has said that the issue affects a "limited number" of customers.  Windows users began posting to support forums shortly after the patch was available, reporting that their primarily Dell computers had been rendered unusable with a blue-screen-of-death error after installing February’s security updates.  Microsoft stopped pushing the MS10-015 update to consumers, which had been linked to the issue, and said it was investigating.

On Friday, Microsoft released a preliminary conclusion, indicating that malware may be to blame.  A Windows XP user posted that he’d traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems.  In a post to the Internet Storm Center, Patrick Barnes said that he’d identified a file on his system called atapi.sys which turned out to be the TDSS rootkit. 

http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

Removal

Because TDSS uses crafty techniques to hide itself, many antivirus programs have a hard time detecting it.  Users must first remove the rootkit from their systems before they can apply the security update.  Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection. 

People who have experienced the BSOD should remove their hard drive and scan it for infections using another PC.  If the infected atapi.sys system file is removed, you will need to replace it from installation media or from another Windows system of the same version. 

If it still does not boot, you may try a repair installation of Windows. 

If that still does not work, you may need to re-install from scratch. 

MS10-015 is a kernel update.   With atapi.sys containing the advanced TDSS kernel rootkit, Microsoft pulling the patch says something about how widespread this thing is.

Advertisements