Tracking down those XP crashes: Could the cause be malware?

According to reports on some newsgroups, a Windows patch is causing the Blue Screen of Death for Windows XP users. Microsoft has temporarily withdrawn the update while it investigates the reports. Before you leap to conclusions about the coding skills of Microsoft's developers, you might want to consider the possibility that this problem is related to undetected malware infections. I've got some exclusive details.

Update 3-Mar 2:00PM PST: Microsoft has re-released the MS10-015 update with new detection logic that blocks it from installingon computers that are infected with the malware that caues these crashes. They have also released a standalone FixIt tool to detect potential compatibility issues.

Update 12-Feb 11AM PST: The Microsoft Security Response Center, in a new blog post published 25 minutes after I published this post, acknowledged that the issues identified here are real: "In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating."

It's also worth noting in that blog post that Microsoft support engineers have actually "driven to customer locations and picked up affected systems" to get the crash dumps they needed.

Based on some posts in newsgroups, several news outlets have reported that a Windows patch was causing the Blue Screen of Death for Windows XP users. As my colleague Mary Jo Foley noted yesterday,  Microsoft has temporarily withdrawn update MS10-015 (KB977165) while it investigates the reports.

That is a reasonable response, but before you Windows-haters leap to conclusions about the coding skills of Microsoft's developers, you might want to consider an alternate possibility. Based on some third-party reports I've read, the problem might be related to undetected malware infections.

A blog post by Patrick W. Barnes (which in turn follows up on some information originally posted in comments at the Microsoft-run Windows Update forum and at the SANS Internet Storm Center) contains these details:

One of Microsoft’s “Patch Tuesday” security fixes is triggering a widespread “Blue Screen of Death” problem.  The cause is not the update itself, but an existing infection.  So far, reports suggest that this problem affects Windows XP and Windows Vista.

[…]

I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally.

More details after the jump.

For those who don't know Windows kernel drivers, Atapi.sys provides access to the system hard drive. If it's damaged or if it doesn't match the hardware in your system, the result will be a STOP error, which displays 0x0000007B INACCESSIBLE_BOOT_DEVICE (or a similar error code) on a blue screen.

The MS10-015 update does not replace the Atapi.sys driver, but it does replace a bunch of kernel files that interact with that driver (the full list is in the KB article, under the File Information heading), so it's not unexpected that these changes would cause problems on systems that were already infected.

I found an unrelated report with similar details in a thread at bleepingcomputer.com, where a user reported experiencing this issue and provided diagnostic reports showing infections by several rootkits and Trojan-horse programs (Rootkit.Win32.Agent and Backdoor.Tidserv, also known as TDDS), as well as the Koobface worm. One detail that caught my eye in that thread was the name of that Tidserv nasty, which is known to replace Atapi.sys with an infected version. (See this search for a sample of reports.)

Going through those reports suggests this isn't a new rootkit or a new problem. A November 2009 report at Computing.net sounds awfully similar:

I just had an XP PC that was in a constant loop on start-up. It wouldn't even let me do a repair install no matter how I set up the boot order. […] Avast found the TDDS rootkit in the MBR and lots of other malware in the USB drive….

And this one, from Norton's community forums in December 2009:

I was fooled into running an executable … I was suspicious so immediately ran a full scan overnight. The scan reported 1 threat and needed to reboot to complete the fix. I let it reboot. The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot. I checked the Norton log. The scan found one virus – Backdoor.Tidserv.l!inf, which it claimed to have resolved. However auto-protect also reported finding the same virus a bit later, again claiming to have resolved it. Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all.

Later in the thread, a forum veteran describes a report from a similar infection, complete with blue screen.

Nothing I have seen suggests this is truly a widespread problem. Given that several hundred million people have downloaded this update, even a tiny fraction of a percent would result in thousands of affected systems.

So should you hold off on installing this update? Given that the issue it fixes requires local login rights to exploit and there are no known attacks in the wild, there's little risk in holding off, at least until Microsoft completes its investigation.

Of course, you could also upgrade to 64-bit Windows 7, which doesn't require this patch at all.

[Hat tip to Rafael Rivera of Within Windows for pointing me to two of these links.]

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All