Win32 Virus Removal

Microsoft’s, Jerry Bryant wrote in an updated MSRC blog post on the issues that, “In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that Malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating.”

Bryant noted that memory dumps from infected systems are partly responsible for helping Microsoft’s investigation, and in some cases engineers have gone to customer locations to pickup affected systems for analyzation. [Source]

Shortly after Microsoft updated customers on the status of their investigation, Symantec posted details that TDL3, a variant of the TDSS rootkit, could be behind the problems. TDL3 will call critical API addresses in Windows’s kernel so that memory can be allocated to load the rootkit and its malicious code. [Source]

What happened is that MS10-015 updated several kernel API’s and as a result TDL3 started calling invalid RVAs (relative virtual addresses) thus triggering the BSoD issues. The most commonly infected system driver, Symantec noted, is atapi.sys., which is the same system driver noted to be infected by Patrick W. Barns, a systems administrator at Cat-man-du, based out of Amarillo, Texas. [Source]

Barnes told security author and analyst Brian Krebs that three different systems came into his shop with the BSoD issue, thanks to recent updates. [Source] After some investigation, Barnes discovered that they were infected with a rootkit. When he tracked the rootkit infection to atapi.sys and submitted it to VirusTotal, the results showed TDSS as the cause. [VirusTotal]

It should be noted that warnings related to new variants of TDSS were made as far back as last November. [Source] In the wake of the news that a rootkit could be the cause of all the patch related issues, Hitman Pro 3, from security vendor SurfRight, is constantly earning a mention as a preventive removal option. [Source]

SurfRight issued a statement last month that TDSS “is such a sophisticated virus that is causing sleepless nights for anti virus researchers.”

“The TDL3 is one of the most sophisticated viruses I have seen”, said SurfRight CEO Mark Loman. “The rootkit is piggybacking on a standard driver to avoid detection by anti virus programs.”

According to SurfRight, TDL3 registers itself first as print processor, printer subsystem spoolsv.exe, which has administrative rights. Virus scanners that monitor the behavior of processes will not be alarmed because the printer subsystem is a trusted part of Microsoft Windows.

“TDL3 has now full system access rights as Print Processor and infects the lower level system driver that is responsible for the communication with the hard drive. When virus scanners want to check this driver, they see the original file so they are unable to recognize the infection,” a SurfRight advisory explained.

After that, TDL3 places an encrypted file system on top of the standard file system on the last sectors of the hard drive. The encryption ensures that files cannot be read directly from disk, thus avoiding detection by anti-Virus software. The encrypted file system is then used to store other Malware downloaded from the Internet.

For now, Microsoft has stopped pushing MS10-015 through Windows Update. However, the halt only affects home users. Enterprise users can get MS10-015 through normal channels, such as WSUS or SMS. In the meantime, if users skip the patch, Microsoft has released a Fix It workaround. Using this will help mitigate the problem, so if you need it, you can get it here.

If you are impacted by the BSoD issue, and need assistance, this forum post offers some tips. You can open a support ticket here as well.

Lastly, there are some tips listed in the comment section here, for those without access to a Windows XP CD. Also, with regard to the Malware side to all of this, McAfee [1] and F-Secure [2] have tools to help, along with the aforementioned Hitman Pro 3.