Tracking down those XP crashes: Could the cause be malware?

Tracking down those XP crashes: Could the cause be malware?

Summary: According to reports on some newsgroups, a Windows patch is causing the Blue Screen of Death for Windows XP users. Microsoft has temporarily withdrawn the update while it investigates the reports. Before you leap to conclusions about the coding skills of Microsoft's developers, you might want to consider the possibility that this problem is related to undetected malware infections. I've got some exclusive details.

SHARE:

Update 3-Mar 2:00PM PST: Microsoft has re-released the MS10-015 update with new detection logic that blocks it from installingon computers that are infected with the malware that caues these crashes. They have also released a standalone FixIt tool to detect potential compatibility issues.

Update 12-Feb 11AM PST: The Microsoft Security Response Center, in a new blog post published 25 minutes after I published this post, acknowledged that the issues identified here are real: "In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating."

It's also worth noting in that blog post that Microsoft support engineers have actually "driven to customer locations and picked up affected systems" to get the crash dumps they needed.

Based on some posts in newsgroups, several news outlets have reported that a Windows patch was causing the Blue Screen of Death for Windows XP users. As my colleague Mary Jo Foley noted yesterday,  Microsoft has temporarily withdrawn update MS10-015 (KB977165) while it investigates the reports.

That is a reasonable response, but before you Windows-haters leap to conclusions about the coding skills of Microsoft's developers, you might want to consider an alternate possibility. Based on some third-party reports I've read, the problem might be related to undetected malware infections.

A blog post by Patrick W. Barnes (which in turn follows up on some information originally posted in comments at the Microsoft-run Windows Update forum and at the SANS Internet Storm Center) contains these details:

One of Microsoft’s “Patch Tuesday” security fixes is triggering a widespread “Blue Screen of Death” problem.  The cause is not the update itself, but an existing infection.  So far, reports suggest that this problem affects Windows XP and Windows Vista.

[…]

I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally.

More details after the jump.

For those who don't know Windows kernel drivers, Atapi.sys provides access to the system hard drive. If it's damaged or if it doesn't match the hardware in your system, the result will be a STOP error, which displays 0x0000007B INACCESSIBLE_BOOT_DEVICE (or a similar error code) on a blue screen.

The MS10-015 update does not replace the Atapi.sys driver, but it does replace a bunch of kernel files that interact with that driver (the full list is in the KB article, under the File Information heading), so it's not unexpected that these changes would cause problems on systems that were already infected.

I found an unrelated report with similar details in a thread at bleepingcomputer.com, where a user reported experiencing this issue and provided diagnostic reports showing infections by several rootkits and Trojan-horse programs (Rootkit.Win32.Agent and Backdoor.Tidserv, also known as TDDS), as well as the Koobface worm. One detail that caught my eye in that thread was the name of that Tidserv nasty, which is known to replace Atapi.sys with an infected version. (See this search for a sample of reports.)

Going through those reports suggests this isn't a new rootkit or a new problem. A November 2009 report at Computing.net sounds awfully similar:

I just had an XP PC that was in a constant loop on start-up. It wouldn't even let me do a repair install no matter how I set up the boot order. […] Avast found the TDDS rootkit in the MBR and lots of other malware in the USB drive….

And this one, from Norton's community forums in December 2009:

I was fooled into running an executable … I was suspicious so immediately ran a full scan overnight. The scan reported 1 threat and needed to reboot to complete the fix. I let it reboot. The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot. I checked the Norton log. The scan found one virus – Backdoor.Tidserv.l!inf, which it claimed to have resolved. However auto-protect also reported finding the same virus a bit later, again claiming to have resolved it. Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all.

Later in the thread, a forum veteran describes a report from a similar infection, complete with blue screen.

Nothing I have seen suggests this is truly a widespread problem. Given that several hundred million people have downloaded this update, even a tiny fraction of a percent would result in thousands of affected systems.

So should you hold off on installing this update? Given that the issue it fixes requires local login rights to exploit and there are no known attacks in the wild, there's little risk in holding off, at least until Microsoft completes its investigation.

Of course, you could also upgrade to 64-bit Windows 7, which doesn't require this patch at all.

[Hat tip to Rafael Rivera of Within Windows for pointing me to two of these links.]

Topics: Windows, Malware, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

164 comments
Log in or register to join the discussion
  • just fixed one, probably had virus

    had to use the recovery console to run the fix which uninstalls the update and this worked, the endless reboots stopped and we were back in XP. But upon enterering XP I discovered some virus-type activity including a mysterious pop-up offering to 'fix the problem' and lots of other error messages. So we decided to retire this very old machine instead of wasting any further time. Will run malwarebytes on it when I get another chance. So far this is the only XP machine I have encountered to have the issue out of many machines.
    eggmanbubbagee
  • Use Combofix to repair this infection

    Combofix will remove the infected atapi.sys file in Windows XP. Takes around 15-20 minutes to run. I have repaired 50- 60 XP machines in the last 3 months with this modified atapi file.
    curtis18
    • Link would be nice

      I'm sure I can find it at Bleepingcomputer.com but it sounds like you can suggest an authoritative source.
      Ed Bott
      • Link

        You were right, bleepingcomputer.com is where you can find it. Here is the link with instructions; http://www.bleepingcomputer.com/combofix/how-to-use-combofix
        curtis18
        • Thanks (nt)

          ...
          Ed Bott
    • ComboFix...

      ComboFix is not a tool that should be used lightly. Its developer would be the first one to caution people that ComboFix should only be used with extreme care and only by those who understand the tool and are experienced in malware removal. It is important to know what to do when things go wrong as they sometimes do.
      NonSuch_z
      • You are correct

        Combofix should not be used by everyone. As stated by other posters you can go in to recovery console and replace the atapi.sys file with one from an XP CD. Make sure you do other malware and virus scans afterward though because I have had the atapi.sys file replaced on me right after I switched it. That is why I recommended Combofix because it fixes this problem plus finds the other pieces to the problem. Here is a write up of the infected atapi.sys - Virus:Win32/Alureon.F http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fAlureon.F
        curtis18
        • auto replaced files - done by Drive Cache

          Auto replaced files are done by Drive Cache, not necessarily a virus.
          IF you delete or replace a file in the Windows System [ or System32 folder], and there is a similar file in the driver cache - windows will simply auto load that over the top of what was just replaced or deleted.
          In this case you must find that file in the driver cache [or backup folder] and re-name the file extension , and then copy the replacement file to here and the system folder.
          - then restart the machine ...
          digitrog
          • Thanks

            I should have mentioned that I do replace both copies of the file (system32/drivers & system32/dllcache).
            curtis18
    • Wow, can't even get THAT to run on this POS ..

      Trying to clean a desktop system with XP sp2.

      Can't access the internet (passes connectivity tests), or start Norton 360 except in safe mode, can't install previously downloaded IE8, can't access Windows Update, etc.

      Norton 360 will run in safe mode, but doesn't find anything (it can't connect to the update server, either).

      Running newest version of ClamWin from a USB stick, but not finding anything either.

      Anyone know a good cleaner that can run from a USB stick I can try?

      May have to do a complete system recovery, but it is on the HD and afraid it may be bad, too. The virus has also deleted ALL system restore points.

      Thanks! I don't have any hair left to pull out.
      babyboomer57
      • Try Vipre Rescue

        Give the free Vipre Rescue Program a try: http://live.sunbeltsoftware.com/
        Greenknight_z
        • Thanks, but ....

          my ISP called me and said they were going to kill my DSL line if I didn't disconnect the machine, it was bombarding their email servers.

          I just nuked the drive and started over with it. Luckily the recovery partition was not infected.

          I hope she has fun installing all her crap again.
          babyboomer57
    • Much faster method

      Using the widely available NT Password Reset CD, you can drop to a linux prompt, mount the hard drive of the affected system, and copy a new version over from another location (the "locate" command can find a copy for you, I found one in \windows\Servicepackfiles on an XP system.)
      Total process is about 3 minutes (including the time it takes to boot the CD.)
      waltmaine
  • RE: Tracking down those XP crashes: Could the cause be malware?

    If it is an infected Atapi.sys file, perhaps Microsoft should install a clean copy of the file in the MS10-015 update. I understand that an infected file is not something that Microsoft should be required to repair, but replacing the file should eliminate any support calls from irate users associating their BSOD with the update that just took place on their computer.

    It certainly would be better public relations than reacting to the outcry with "It's not our fault this time."
    Norm76
    • See the update at top of post

      Interesting suggestion. Might be more appropriate to add that detection/repair code to the Malicious Software Repair Tool and require that it be run before the update is installed.
      Ed Bott
    • That could be problematic...

      Not sure, but if the ATAPI.SYS file in XP RTM is different from the one in SP1 or SP2 or SP3, there would have to be several versions of the patch - one for each time the file got changed.

      That is, IF, indeed ATAPI.SYS is the real culprit.
      Wolfie2K3
  • I'm pretty sure this is from malware

    I talked with someone online who was having this issue, and I asked him to make sure after he removed that one update, that the libraries were 'signed'... they were not, he scanned with anti-virus software, it found a bad virus and removed it.

    Microsoft needs to make it so that the stuff in the Windows directory can ONLY be added to by known good programs, AND can only be CHANGED by Microsoft programs themselves.
    Lerianis10
    • Yes, agreed

      The change you describe was made for Vista and also for Windows 7. UAC makes it much harder for a program to change system files so you see this mostly on XP.
      Ed Bott
      • Yep....

        I tell everyone to get off XP. Vista offered much more security alone to be worth the jump. None of my users ever run as admin on their systems. We have very little problem at all with Windows XP. Working on the 7 rollout now.
        OhTheHumanity
        • Do you mean...

          Did you mean to write "We have very little problem with Windows Vista"?
          Ed Bott