Microsoft resumes XP patch distribution; says rootkit remover coming soon

Microsoft resumes XP patch distribution; says rootkit remover coming soon

Summary: In mid-February, Microsoft halted automatic distribution of one of its Windows patches, blaming the interaction of the patch with already-present malware on users' systems for a rash of blue-screen-of-death reports among XP users. On March 2, Microsoft began redistributing that patch, MS10-015.


In mid-February, Microsoft halted automatic distribution of one of its Windows patches, blaming the interaction of the patch with already-present malware on users' systems for a rash of blue-screen-of-death reports among XP users.

On March 2, Microsoft began redistributing that patch, and reiterated plans to release in a few weeks a rootkit detector aimed at removing the Alureon rootkit from users systems.

From a note I received from a Microsoft spokesperson:

"Today Microsoft resumed the distribution of MS10-015 to Windows customers through Automatic Update. The bulletin includes added detection logic for consumer and enterprise customers that searches for indications of the Alureon rootkit. If abnormal conditions such as modified operating system files generated by a computer virus associated with the Alureon rootkit are detected, the infected computer is rendered incompatible with MS10-015.

"If detection logic included in Automatic Update discovers abnormal conditions in certain operating system file configurations, the update will fail and customers will be presented with an error message that offers alternative support options. If this occurs, Microsoft customer support will work with impacted customers to resolve each issue.

"IT professionals can run a scanning tool to determine if a computer may be incompatible with MS10-015. If compatible, Microsoft Knowledge Base Article 980966 outlines additional information about deploying this update in a commercial environment."

Microsoft is working on an automated solution to detect and remove Alureon rootkit from affected systems, according to the aforementioned spokesperson, with availability of that detector -- for both consumers and enterprise customers -- expected "in a few weeks."

Topics: Security, Microsoft, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • is this a hoax

    Microsoft is working on an automated solution
    for blame to create game.

    you should give specific details
    about the root kit for competent
    reporting instead of taking sides.
    not of this world
    • You should be more open-minded rather than prejudiced.

      [i]you should give specific details
      about the root kit for competent
      reporting instead of taking sides.[/i]

      You should have clicked onto the links provided in the article.

      Obviously you didn't.
    • Quit being so darn lazy

      The article mentioned the root-kit by name. Google is your friend. You can find all manner of info on the bloody thing.
      • What lazy?

        Rootkits in general are not only tough to remove, but virulent, often corrupting any new source you use to replace the damaged (hacked) .dll files.
        The old Sony rootkit remains unremovable, with reinstallation the only cure.
        • What is a rootkit?

          In order for a piece of software on an uncontrolled system like Windows to be "unremovable", wouldn't it have to be tied directly somehow into the boot sequence, or some key mandatory early DLLs? Otherwise, there could be a removal procedure which would involve booting into "safe mode" or command line mode and manually replacing infected DLLs and files.

          Of course, as I write this I realize how impractical that would be for 90% of Windows users... if it isn't something they can click on on the desktop, it won't work, and any rootkit that gets activated as soon as you get to the desktop would be hard to destroy.
        • Russinovich disagrees

          on sony's rookit being unremovable without reinstall, since he posted exactly how he removed it in the very blog post that first revealed it to the world.

          He also later beat them into finally submitting to making available a proper removal tool.
  • Hopefully

    The rootkit remover will upgrade the user to Windows 7 as well. I dunno about everyone else, but I grow tired of supporting XP and it's many problems with users. :/
    The one and only, Cylon Centurion
    • I agree get them off windows xp

      We just got notice Microsoft is dropping Win XP SP2 from automatic updates in June 2010. I just replaced a dead Shuttle with another one, and customer wanted me to PCMover it to new system. Said no, you have no COA and no Windows XP disk. When I went to activate it on new computer it said NO!!!! Sold her Windows 7 Pro x64. She had no idea it was illegal...
      • There is Nothing Wrong With XP...

        that shuting up the XP bashers wont cure.

        Thousands of companies have millions invested in XP in house programs that are incompatable with Vista/win7, just ask Intel how much it will cost them.

        Kaise Permante Medical has thousands of computers running medical software that is not compatable. Who is going to pay for new medical records software?

        Running servers in VM is not good programing and business practice.
        • Running servers in VM

          is a massive growth market, if you believe otherwise you're not living with us in the real world.
          • Running servers in VM

            Yes it is a massive growth market but I would not use it for mission critical apps.
          • Mission Critical?

            If you are running a server on a cold-steel installation of your server OS then you haven't investigated VM properly. I was sceptical until I saw "live migration" and how VM could keep my servers running 24x7x365/6 by virtually factoring out hardware failure.
            I wouldn't run a "mission critical" server on a cold-steel installation of any OS these days - it doesn't make sense...
          • Business continuity and disaster recovery for missions critical apps

            is exactly where VWMare is making it's greatest increases.

            I'm sorry, but your opinion of VMs does not reflect the attitudes of the market at large.
        • The worst PM/EMR circa 2004

          Runs even better on 7 than it did on xp. Perhaps Kaiser, and most companies, should do a little testing to see if their system is compatible or not. What you are describing here has nothing to do with IT, but instead precisely describes corporate inertia!!!

    • Time to rest

      XP has been around too long. Time to rest and ,again, be with all those that XP has missed for so long.

      • Kill XP, DOS etc. not so fast!

        I don't have one application that's compatible with vista / w7
        oh wait I do have one it's Firefox;

        everything else I have, will absolutely refuse to run on any vista / w7 install (from basic to ultimate, I can't use my apps)

        just like with 2K / XP
        I can't use that 1992 DOS game that came 2 on 5?" 360KB floppies or 1 3?" 720KB floppy
        but is still a lot of fun when I fire up the 386
        or use that 16-bit SB-pro ISA card that has stable non DRM restricted real mode drivers

        so I won't be considering any new OS anytime in the near future
        maybe in 2014 when the machines will run it as fast as a Dual Socket, Dual Quad core Xeon
        Dell Precision T7400 workstation runs XP-64

        or that PentiumPro 166MHz runs win3.10
        the machines are always 4 - 5 or more years behind what the OS needs to be instant everything

        there are things I can do with the older systems that are now impossible or will soon be impossible with the newer,
        try burning a good quality Disc-At-Once duplication audio or data master @ 4x on a new machine

        I've got P3's and P4's for that because the newer machines and SW won't do it
        the slowest my newest machine will go is 8 - 12x depending on the SW, the disc, and the burner.

        though ME does deserve a quick & quiet burial as does vista
        DOS is not dead and will never be dead
        any way you slice it there are just some things you can't do on the system without popping out into a CMD window
        try to find ping on a menu, I don't see it, I've never found it, if you search for help on ping the first thing it tells you to do is "open a CMD window"
        or try and remove the "active" status of a data disk or partition that isn't the OS booting partition without destroying the partition
        DiskPart will do it for you in a few simple commands.
        I could go on, and on, about what you can only do in the CMD window because there are no GUI based equivalents.

        ya I know this has nothing to do with the rootkit and the MS patch
        but I've been in computers since the 80's and never had an infection of any sort that I went out and got myself by stupid surfing or blindly clicking on crap,
        but I have been given infected machines to fix or keep, in fact almost every machine I've been given has had some sort of infection or almost infection, the last machine I took in had all the makings of a serious infection but the file that was supposed to deliver the "package" was corrupted in the DL and never executed.
        Who Am I Really