9 replies to this topic

[Jan Erik]

Microsoft removed KB977165 soon after it was issued February 9, 2010, because of a bad problem.
Many users faced BSOD after that ... see various reports in the Internet.
For example http://www.neowin.ne...to-recent-patch
and latest reports from Microsoft itself.

This "update" should be removed from Autopatcher XP SP3!

[Jan Erik]

Well, I suppose that an update to the good Autopatcher can also remove a file that should no more be there...
Isn't that so?

For the meantime - until MS finally manages to solve this problem... - there is a temporary Fix-It solution:
http://support.microsoft.com/kb/979682

[click-click]

I don't think it should be removed. If you do a little research, you will see that that this problem is most likely caused by malware on infected systems. I.e. TDL Rootkit. The fix can still be downloaded from Ms here. Besides, you still have a choice of not installing the fix.

Edited by click-click, 14 February 2010 - 09:31 AM.

[_def_x_]

I know 3 or 4 people hit by this update, it wasn't malware or a bad atapi.sys file. If you can hold off, don't install this update, the
fix isn't always simple - a flag in AutoPatcher might help "Caution!". I don't use AutoPatcher much anymore, I mostly keep updated for
the people I have turned on to it so what you decide is not an issue for me.

[Cristiano]

if KB977165 is so dangerous, why ms still allows this update to be downloaded from here. last month or so, ms did a mistake with KB976126 v1 that wasn't even suspect of any bsod. what they did? they have removed that file from their severs. KB977165 is suspect of bsod in specific scenarios only, but is, despite even ms be unsure about it. so, why KB977165 can still be downloaded, if KB976126 v1 was removed from ms servers less than 2 days after arrival?

[]s

[Cristiano]

i was reading an news today and i've faced this. ok, this is in brazilian portuguese and i'm sure that a lot of users will not understand a word about it, but the general idea starts with the title: rootkit is the reason for BSOD, says Symantec. according to them, Tidserv is the one that infiltrates in the kernel drivers, like atapi.sys. once attached to the file, the rootkit starts spreading with an behavior similar to an worm. security software, like antivirus, can fail in the detection of the threat, hiding the real nature of the problem.

symantec says that the problem happens due an change done in the virtual addresses. the update changes the data that the rootkit is running, making the infected module of the kernel call for invalid addresses

of course, the problem has increased after KB977165, but the reason is an rootkit, not the update.

yours still think that this one should be removed after this?

i'm sure that someone will find an english source for that info

[]s

[_def_x_]

Cristiano said:

yours still think that this one should be removed after this?

No, I think the consensus has been - add the update to the script.

[humble3d]

Translation from babelfish:
http://babelfish.yah...TrUrl=Translate

Rootkit is cause of blue screen, says Symantec

Security
Rootkit is cause of blue screen, says Symantec
7 Comentário(s)
James Della Valle, de INFO Online Wednesday, 17 of February of 2010 - 10h39

São Paulo - the Symantec informed that one rootkit is the responsible one for the excess of blue screens of error that are appearing in versions of Windows XP.

The company pointed the [Tidserv]
(http://www.google.co...h&aq=f&aqi=&oq=)

as responsible for if infiltrating in drivers of kernel, as atapi.sys.
Leia também:

o MS will make blitz against Windows 7 ´não oficial´ (11/02/2010)

A on time to the archive, it starts if to spread for the system with a behavior similar to the one of a worm. Softwares of security, as antivirus, can fail in the detention of the threat, hiding the real nature of the problem.

Microsoft admitted that the problems with the famous “blue screen of the death” had after increased the launching of update MS010-15. To prevent more problems, the Security Response Center of the company informs that it goes to congeal the distribution of update until the problem is decided.

The Symantec affirms that the problem occurs because of an alteration made in the virtual addresses. The dumb update the data used for rootkit, what it makes the infectado module of kernel to call invalid addresses.

The security company points that the best form to decide the problem is to use one backup of drivers infectados. In some cases, the users must even though consider the reinstallation of Windows XP. The Symantec says that its antiviruses can identify the threatened archives.

Personal note from humble3d: The new atapi.sys file was 95kb and tested positive for rootkit;
My old atapi.sys was 94kb and tested clean; so, in an abundance of caution, I replaced the new atapi.sys
with the old one...
so far so good...


MORE:
FROM:

http://www.symantec.com/connect/blogs/tidserv-and-ms10-015

2. Locate the infected partition, which is normally the boot partition

3. Replace atapi.sys in \%Windir%\system32\drivers with the clean backup copy

4. Reboot

Here's a list with the most common driver names infected by the rootkit, which can be used

in the above process:

atapi.sys

iastor.sys

idechndr.sys

ndis.sys

nvata.sys

vmscsi.sys

We are aware that the blue screens may be caused by other good or bad kernel mode
applications that were relying on hard coded addresses, but Tidserv is one of the most prevalent threats that may cause this problem. Symantec detects these infected drivers on disk as Backdoor.Tidserv!inf, but recommends that the files are replaced manually, since attempting to remove the file automatically may render the system unbootable.

Edited by humble3d, 18 February 2010 - 03:41 AM.

[click-click]

humble3d, on 18 February 2010 - 03:31 AM, said:

[b]
Translation from babelfish:
http://babelfish.yah...TrUrl=Translate

Please don't double post .. once is enough

Thanks

[humble3d]

click-click, on 18 February 2010 - 04:32 PM, said:

Please don't double post .. once is enough

Thanks

I am sorry if it was a double post...I'm not well...
Anyway, I lost the data from a text file, but, long story
short, the msft update is ok; it's the computer owners
infected system that's the fault;
Kaspersky has a small, free download to test for the trojan but,
I've misplaced the info in the lost text file...
I will still try to find it for you...



Update: I think i found it:
Hackers fix XP BSoD rootkit

An update released by Microsoft this month (MS10-015)

http://blogs.zdnet.com/hardware/?p=7262

broke XP machines that were infected with the TDL3 rootkit (also known as TDSS and Tidserv and many other

names - more info here

http://blogs.zdnet.com/hardware/?p=7330

And,

http://forum.sysinternals.com/forum_posts.asp?TID=21266

Well, a rootkit that causes crashes is bad for business, so the hackers had an update out in the matter of hours.

http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17

years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying

blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a

number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem

resides in the lazyness of rootkit writers when writing the driver infection routine.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the

rootkit compatible with the Microsoft patch.

It’s one big cat and mouse game between the good guys and the bad guys.

One vender, who spoke on conditions of anonymity, admitted his truth:
All software is impregnated with rootkits from the factory bench, he said.
This is how we track users' experiences, needs, wants and habits.
This so called spying on customers is necessary and proper for maintaining
market share in a very competitive market.
Unavoidably determined by prior circumstances, The customer is the big
winner at the end of the day.
It's a win, win situation for all of us.

KAV has a free rootkit killer here which believes it can stop the TDL3::

http://support.kaspersky.com/viruses/solutions?qid=208280684

Last update:

I Ran the kav tool and the rootkit was not found.

I then installed WindowsXP-KB977165-x86-ENU.exe and,

everything is fine...

Edited by humble3d, 21 February 2010 - 08:40 AM.