We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft says rootkit could cause XP BSOD

Software giant continues investigation

Microsoft says a hard-to-detect rootkit may be causing Windows XP systems to crash following its latest security updates.

Windows users began flooding support forums last week, saying that their computers had been rendered unusable with a blue-screen-of-death (BSOD) error after installing Microsoft's February security updates.

As a result, Microsoft stopped shipping the MS10-015 update, which had been linked to the issue, and said it was investigating.

The tech company offered a preliminary conclusion, saying that malicious software may be to blame.

"Malware on the system can cause the behavior," said Microsoft spokesman Jerry Bryant on a company blog.

"We are not yet ruling out other potential causes at this time and are still investigating."

"We have confirmed cases where removing malware allows the system to boot," Bryant addded in a Twitter message.

Windows XP user Patrick Barnes said he'd traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems.

In a post to the Internet Storm Center, Barnes said that he'd identified a nonworking file on his system called atapi.sys. When he submitted the file for analysis it turned out to be the TDSS rootkit.

It may not be the only cause of the problem, however.

"From the reports I have been receiving, the infected atapi.sys is the most common cause of this blue screen," Barnes wrote in his post.

"However, any driver that references the updated kernel bits incorrectly can also cause this blue screen."

Barnes posted repair instructions to his blog Friday. Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection, however.

Users must first remove the rootkit from their hard drive before they can repair the issue or apply the security update, Barnes wrote in the Internet Storm Center post.

People who have experienced the BSOD should remove their hard drive and then scan it for infections using another PC to make sure they catch it.

"If atapi.sys is removed, you will need to replace it from installation media or from another Windows system of the same version," Barnes said.

"Restore your hard drive and attempt to boot again. If it still does not boot, you may try a repair installation of Windows. If that still does not work, you may need to reload your computer."

Because TDSS uses crafty techniques to hide itself on the operating system, many antivirus programs have a hard time detecting it, said Roel Schouwenberg, a Kaspersky antivirus researcher.

"The more I look into it, the more plausible it becomes that this is indeed the (main) issue behind the BSOD. MS10-015 is a kernel update with atapi.sys containing the extremely advanced TDSS kernel rootkit," he said.

"Microsoft pulling the patch obviously says something about how widespread this thing is."

Barnes' repair instructions "make sense", Schouwenberg said. "Given the nature of the BSOD I doubt there's an easier way."

Microsoft has said that the issue affects a "limited number" of customers.

See also: Hackers to target recently patched Microsoft bugs


IDG UK Sites

Nexus 6 vs Samsung Galaxy Note 4 comparison: What's the best Android phablet?

IDG UK Sites

The iPhone is doomed. Doomed to be marginally less successful than a very successful thing.

IDG UK Sites

How to prototype native mobile apps without writing code

IDG UK Sites

How to prepare for and update to OS X Yosemite: Get your Mac ready to download & install Apple's...