Microsoft: Rootkit responsible for BSOD crashes

By on February 18, 2010, 9:13 AM
Windows users began flooding Microsoft support forums last week, saying that their computers had been rendered unusable with a "blue screen of death" (BSOD) error after installing the latest round of security updates from Redmond. The company was forced to stop shipping the MS10-015 update, which was apparently linked to the issue, and said it would investigate further.

Preliminary findings revealed by Microsoft suggested malicious software may be to blame. Today the company was able to confirm this and shared a few more details through a blog post from Mike Reavey, director of the Microsoft Security Response Center. According to Reavey, the blue screen was a result of malware already installed on users' XP machines, specifically the Alureon rootkit, which makes modifications to Windows Kernel binaries and as a result leaves systems in an unstable state.

Microsoft stressed that there were no quality issues with its security update MS10-015, but didn't mention when it will resume distributing it via its Windows Update mechanism. For now the company is working on a simple solution to detect and remove Alureon from affected systems, which it hopes to release "in a few weeks."




User Comments: 9

Got something to say? Post a comment
Guest said:

I find that interesting as I have two XP machines cause problems after the updates, while all the windows 7 machines are fine.

I have ran GMER on them and it does not find any root-kits. Both machines have had microsoft security essentials on them and both have had a full scan ran on them with no problems detected.

I rolled back the video drivers on one and that seemed to fix it. Still trouble shooting the other one!

Guest said:

I have a Server 2003 system that got a BSOD after applying MS10-015. Have run 3 different Rootkit analyzers & two different AV programs. No problems found. Uploaded atapi.sys to VirusTotal - file is OK. Removed MS10-015, and system is OK. No rootkit here, so MS needs to dig a little deeper.

Punkid said:

its good to see Microsoft fixing BSOD crashes

peas said:

Anti-virus programs can be fooled by some rootkits, especially the more insidious ones. They hide very well and subvert detection. Microsoft Security Essentials is by no means fool-proof (nothing is). I've seen rootkit infections that no anti-virus program was able to detect. It took a manual boot into the recovery console (boot CD) to manually delete the rootkit.

pmshah said:

Recently I too have been having infrequent BSOD problems. Unfortunately the MS10-015 patch you are referring to is not to be seen in my update history. Can someone list the contents in KBxxxxx id's so I can remove them from my OS.

It is especially irritating when it happens in the middle of the night and I have major downloading operation going. Most ISPs offer us special deals for night packages which by US standards appear to be practically free! For instance 9.00 pm to 9.00 am, unlimited true 2 mbps http download speed, costs only US$ 6/= per month.

jobeard jobeard, TS Ambassador, said:

Computerworld - Microsoft late Thursday said it had halted distribution of a security update(*) linked to crippled Windows XP PCs that display the notorious Blue Screen of Death.

As been debated (*) As of Feb 14, 2010 Confirmed reports show this statement to be false, at least when using Manual Updates instead of Autoupdate. see Horowitz

Guest said:

KB977165 is the one causing the issue

jobeard jobeard, TS Ambassador, said:

agreed, but as noted by Horowitz, it has NOT been withdrawn

Guest said:

I had one machine with BSOD threw malwarebytes and combofix at it and copied the file also and it works fine now.

Just an FYI and it was an XP machine.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.