Microsoft: Malware behind XP update BSoDs/reboots

Microsoft has confirmed that malware is responsible for XP-based systems suffering BSoDs and rolling reboots after the application of a patch released during February's Patch Tuesday bundle.

We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.  We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.  Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.  We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.  The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.  In every investigated incident, we have not found quality issues with security update MS10-015.  Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.

An excellent explanation of how Microsoft failed to catch this issue:

This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state.   These types of infections often leave the machine in such an unstable state that it cannot be reliably tested.   This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded.  The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine.  Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed.  On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.

Or, as Dwight Silverman succinctly put it over on TechBlog, "Sorry, we don't support malware."

Having problems? Microsoft is there to help:

Customers who believe they are experiencing this reboot issue after installing MS10-015, or require support removing it or repairing their systems, are encouraged to contact their Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Removal instructions for this nasty can be found here and here. However, removing rootkits is a tricky business, and my advice would be to completely wipe the system and carry out a complete reinstall of the OS, applications and data.