In association with heise online

15 February 2010, 15:03

Symantec says rootkit causes Windows XP blue screen of death

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Symantec Logo According to an analysis by Symantec, a rootkit is responsible for many of the blue screen problems currently occurring with Windows XP. The company reports that Tidserv infects low level kernel drivers, such as IDE driver atapi.sys, in order to conceal itself and worm its way into the system. As soon as the rootkit is active, it becomes very hard to detect using simple means (including anti-virus software), so that most users never know there is anything wrong with their PC.

Microsoft had confirmed the increase in reports of the blue screen of death, but had initially been unable to determine the cause. Microsoft's Security Response Center blog reported on Friday that the company was playing safe by suspending distribution of update MS010-15. Despite this, some users were still offered the update over the weekend. Microsoft is now also working on the assumption that malware is responsible for the problem.

The blue screen of death (BSOD) appears to occur because the rootkit uses hard-coded relative virtual addresses (RVAs), which have been changed under Windows XP following installation of update MS010-015 on the recent patch day. As a result the infected kernel module calls invalid addresses, which causes a page fault and reboot – over and over and over again. Symantec does not, however, limit the problem to Windows XP. It says that there may well be other kernel drivers which use hard-coded addresses, but that the most common cause at present is Tidserv.

Since atapi.sys is a critical driver, Windows cannot even be started in safe mode. Rather than uninstalling the Microsoft patch, Symantec recommends replacing the infected driver with a non-infected copy from a source such as a backup. It adds that although Symantec would detect infection of the driver on a system scan (with a boot CD), automatic disinfection on functioning systems can fail.

In addition to atapi.sys, Tidserv can also infect drivers including iastor.sys, idechndr.sys, ndis.sys, nvata.sys and vmscsi.sys. Even after repairing their systems, affected users are advised to consider completely reinstalling Windows.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit