Is a rootkit behind the XP BSoDs?

Is a rootkit behind the recent spate of Windows XP BSoDs? According to an investigation carried out by security journalist Brian Krebs, it could play a part.

Is a rootkit infection behind the recent spate of Windows XP BSoDs? According to an investigation carried out by security journalist Brian Krebs, it could play a part:

Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their XP systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.

Barnes said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver(which lives in %System32\drivers\). When he sent the atapi.sys files that were on the customer machines up for a scan at Virustotal.com, the results suggested malware had injected itself into the system file.

Here's the Virustotal report of the affected file.

It might be a good idea for anyone seeing this problem to give their system a quick scan with F-Secure's Blacklight rootkit detector after removing the Windows Update patches and getting the system up and running.