Kaseya Community

KB977165 may cause system to blue screen

  • One of our Services Managers brought this to my attention today. I thought I would share....

    ======================
    Recently we have had several users call us because their system blue screens, black screens or is non-functional(will not boot at all). We determined that the Microsoft patch KB977165 (MS10-015) causes the problem (sort of). The problem only occurs if the system has KB977165 installed AND is infected with a rootkit virus which apparently is not being detected by any of the major antivirus players out there.

    From what I can tell the atapi.sys file in C:\Windows\system32\drivers is replaced with a rootkit/infected file that tricks Windows into thinking it is a valid Microsoft file and is protected by the Operating System and cannot be removed using normal means.

    I worked with one of our Field Engineers onsite for a customer today. Our Engineer had uninstalled the KB977165 patch and the system then would boot, however, running the Hitman application, it showed that the machine was infected with the rootkit (atapi.sys file). We then booted to a CD, deleted the atapi.sys file and rebooted. We ran Hitman again which showed the system was clean, then we reinstalled the patch and the system booted fine.

    I am afraid that there may be other systems that may also be infected with this or other type rootkits. I am sharing to let everyone be aware to look for rootkits, and also be aware of this (new to me) utility called Hitman (http://www.surfright.nl/en/hitmanpro ) . Another rootkit scanner can be downloaded from Microsoft here http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx .

    Note: We also worked on a machine this morning that combofix said was infected with an MBR rootkit and combofix recommended replacing the MBR. The machine exhibited the same symptoms, and may have been infected with multiple rootkits?

    References:
    https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/
    http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/
    http://www.winvistatips.com/warning-kb977165-can-may-cause-bsods-some-windows-xp-users-t813004.html
    http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

    The best articles –
    http://prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
    http://forum.sysinternals.com/forum_posts.asp?TID=21266&PID=116141#116141
    and a proof of concept video on You Tube http://www.youtube.com/watch?v=QK4rF2EGa5E

    ======================

    Legacy Forum Name: KB977165 may cause system to blue screen,
    Legacy Posted By Username: lwolf
  • In this thread benny claims that there are a couple of event id's to watch out for, and that they are tell tales to whether or not the machine is infected with the rootkit.



    I've deployed the event sets on a bunch of machines but they've come back nill so I cannot say for sure that it works. SMason has had positive results with this method.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: thirteentwenty
  • thirteentwenty
    In this thread benny claims that there are a couple of event id's to watch out for, and that they are tell tales to whether or not the machine is infected with the rootkit.



    I've deployed the event sets on a bunch of machines but they've come back nill so I cannot say for sure that it works. SMason has had positive results with this method.




    thirteentwenty,



    Thanks for pointing that out. For some reason, I missed the other thread. I will try to deploy that event set tomorrow.



    Lloyd

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: lwolf
  • LOL at first I thought that it was you that started that thread so I thought it was odd that you were posted this one. But in a way it's good that you did as you posted the link to the rootkit revealer that I think (read: IMO) would be better at diagnosing this...

    As it stands now, I've got the eventset deployed and am working on a script to run the rootkit revealer based on that alert. To me that should be the sure fire way for detection. I did read in brief on how to get rid of it, I have the link bookmarked on my other install so I dont have it handy. If its a scriptable fix I hope to get a script done for it.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: thirteentwenty
  • thirteentwenty
    As it stands now, I've got the eventset deployed and am working on a script to run the rootkit revealer based on that alert. To me that should be the sure fire way for detection. I did read in brief on how to get rid of it, I have the link bookmarked on my other install so I dont have it handy. If its a scriptable fix I hope to get a script done for it.


    If you get a script working for the rootkit revealer, it would be wonderful to see it, if you wouldn't mind sharing.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: lwolf
  • I'd be happy to share, my biggest issue right now is a time thing... that and I'm in the middle of upgrading to K2 (I hope its worth it)

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: thirteentwenty