Re: Microsoft: za "niebieski ekran śmierci" odpowiada rootkit

W dniu 2010-02-13 23:47, Animka pisze:
> http://www.pcworld.pl/news/355975/7/Microsoft.za.niebieski.ekran.smierci.odpowiada.rootkit.html
>
>
>

Ze strony

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

z datowaniem 2010.02.11 21:49

Jak to M$ wykrywa źródło błędów:

I had an Eee PC with XP Home brought to me with this same problem. I rolled
back KB977165, rebooted and the system worked fine. I reapplied KB977165 and
the rest of the updates available at Microsoft Update, and the problem
returned. I replaced %System32%\drivers\atapi.sys with a clean version from
a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys: (EDIT: This file is
infected and is provided for use by security researchers.)
https://patrickwbarnes.com/pub/atapi.sys (Currently Slashdotted)

I will be looking at this more in-depth. If I find anything more, it will
be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209

UPDATE :

I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.

UPDATE 2 :

I have updated my blog post on the subject with repair instructions (Windows
XP only for now, using the Recovery Console):
https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/
(Currently Slashdotted)

UPDATE 3 :
 From the reports I have been receiving, the infected atapi.sys is the most
common cause of this blue screen. However, any driver that references the
updated kernel bits incorrectly can also cause this blue screen.

* If you have not yet applied the update
Scan your computer with up-to-date antivirus software. Make sure you use a
product that has rootkit detection. Since the infection I identified is the
TDSS rootkit, using a tool specifically designed to detect that rootkit,
such as the one from http://www.esagelab.com/ is highly recommended. Do not
apply this update until your system is clean.

* If you are already experiencing this blue screen
Remove your hard drive from your computer and install it in another
computer. On that computer, run an antivirus scan against your hard drive
and remove any infections found. If atapi.sys is removed, you will need to
replace it from installation media or from another Windows system of the
same version. Restore your hard drive and attempt to boot again. If it
still does not boot, you may try a repair installation of Windows. If that
still does not work, you may need to reload your computer.

-- 
Artur