Windows XP and BSoD : A rootkit is highly suspected

The real cause behind some blue screens of death seen with Windows XP may not be the update, but instead malware.

Having heard from some Windows XP users that they had encountered the BSoD (Blue Screen of Death) after installing an update contained in February’s Patch Tuesday, Microsoft decided to remove the release of this patch from Windows Update (see our article). Microsoft, after having undertaken internal investigations, suspects that the cause of the problem is actually malware

Security solutions maker Symantec seems to want to release more information about this subject, with the presumed guilty party being the Tidserv rootkit. By nature, this is a difficult malware to detect which could have been present on the computer for a while, without the user being aware of its presence.

According to Symantec, Tidserv primarily infects the core’s drivers at a low level like atapi.sys. According to Symantec’s scenario, the KB977165 corrective (MS10-015) released by Microsoft corrected the vulnerability in the kernel and the modules updates. After this update, "virtual addresses relative to the API’s changed, with the called upon drivers being infected so that when they answered it was  with invalid addresses, therefore leading to the blue screens seen each time Windows started".

Considered as critical for Windows start up, the atapi.sys driver may not have been the only file infected by Tidserv. Symantec has also provided a list: iastor.sys, idechndr.sys, ndis.sys, nvata.sys, vmscsi.sys. If cleaning these doesn’t work, it is suggested that you manually replace the files on your computer with known clean files from the Windows CD via the recovery console. You should then also think about disinfecting your computer with an up to date antivirus as well.