Monday, February 15, 2010

Recent Bluescreen Issue Not a Microsoft QA Problem

Microsoft's Patch Tuesday for February 9th released a highly discussed security bulletin MS10-015 which left blue screens (BSoD) for many people. User's have speculated that it was a problem with Microsoft rushing their quality assurance and they left some testing of the patch wide open before it's release. However, it was interesting that most home users and small businesses have experienced issues rather than the enterprise realm. Thus, the problem was nothing with the patch; the issue pointed to malware infected systems who where infected long before the month's patch Tuesday. Of course it made sense; the home users and small businesses did NOT have the proper security protection in their environment to stop this malware from infecting their machines. Systems that blue screened were infected by a root kit that changed the same area of the kernel that the MS10-015 patch did. Basically the patch came along, messed with the kernel, and in result the kernel code and rootkit code conflicted each other and caused the bluescreen (BSoD).

As it is already a good practice to have some sort of data backup policy that backs up the data on your system in a combination of a daily and weekly basis; before installing these critical updates from Microsoft on the 9th you want to make sure your backups are up to date for those systems and you want to make sure that your system is not infected by this malware. After doing so and your system blue screened after installing MS10-0015 then your system does have this rootkit and its probably better off that your system does not function so that you can properly wipe the hard drive and do a full reinstall of the system.

atapi.sys appears to be the file that the rootkit changes. To make sure that this file and other system files are original and legit one could create an MD5 checksum of the current atapi.sys file and run it against the MD5 checksum of the same file off of a Windows XP CD of your same windows version to compare the two files. MD5 (Message-Digest algorithm) is a 128-bit cryptographic hash function that is used to check the integrity of files with usually a 32-bit hexadecimal number. This value is created from the product of the algorithm equated with the hexadecimal code of a selected file. If the MD5 checksums do not match exactly then the code in the file has been altered and the system is most likely infected by this rootkit or other malware that has changed the integrity of the atapi.sys file. Obtain MD5 checksum software here: Don't have time to check yourself? Let us check and make sure that this system file is indeed legit and that you are not infected by malware to save you time and trouble from needing to wipe the hard drive and perform a full reinstall of your system and applications.

Those who run anti-malware scanners may pick up results that include this atapi.sys file. Some of you may think that it may be a false positive since after quarantining the file you system does not start up. However, this file is showing up for a reason AND it seems to be a necessary system file needed in order to boot - so quarantining or deleting the file will not work. Again, the best thing to do if your system is infected with this rootkit or any other malware infecting atapi.sys is to backup all your data, securely wipe the hard drive, and do a full reinstall of the system.

Digital Designs, LLC offers services that will get your system back to where it was before the bluescreen issue. In fact, if you DID NOT properly backup your data prior to this issue (your precious family photos, important financial documents, etc.) most times we are able to successfully perform a data recovery service that will allow us to get back your data even when your computer may not be able to boot into Windows. Going beyond that for a full solution we offer a service to securely wipe your hard drive to the DoD (Department of Defense) standards. This will get ride of any remaining malware infected code on your hard drive that can sometimes not be erased on a single standard reformatted hard drive. In addition, this service includes re-installation of your current operating system, security utility installs and installation of your important daily used software (providing that it is freely available on the Internet (such as FireFox) or you have the installation CDs and keys). We will then perform an advanced deep scan on your backed up data to reassure that your files that we will transfer back to your machine are clean. The end result includes a functional system that is most likely more secure and runs faster than the old system. More more information please call us at 1-616-828-1353 or email us at

Get your computer working for you again!

Taking the SH out of IT.

Digital Designs, LLC
Stephen Geldersma

No comments:

Post a Comment

Thank you for your contribution. Your post will be published shortly after it is filtered for any inappropriate material. Please do not use ALL CAPS, flame, use inappropriate material/references in your post or they may not be published.