Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Rootkit to blame for Windows fix resulting in blue screen

Users who experienced issues when installing a recent Windows patch likely are infected by the Alureon rootkit, the company announced late Wednesday.

"We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third-party applications and software," Mike Reavey, director of the Microsoft Security Response Center, said in a blog post. "The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.

Microsoft began investigating the issue after some Windows XP SP2 and SP3 customers complained that after installing one of the patches the company released Feb. 9, the so-called blue screen of death resulted when they attempted to restart. The patch was bulletin MS10-015, which repairs privilege-escalation vulnerabilities in the Windows kernel.

The software giant concluded that the patch met all quality assurance protocols and "confirmed that all of the affected systems had the Alureon rootkit installed," Reavey said.

Users unable to remove the malware from their machines by using a security solution should consider backing up all essential files, wiping their hard drive clean and reinstalling Windows, he said.

Microsoft did not discover the issue during its testing of the patch because malware such as the Alureon rookit would leave systems in such an unstable state that they could not effectively tested, Reavey said.

When installed on a machine, Alureon "may download and execute other files, block access to certain websites, and redirect searches," according to a Microsoft summary.

Microsoft still considers MS10-015 to be a high-priority patch.

"Our guidance remains the same," Reavey said. "Customers should continue to deploy this month's security updates and make sure their systems are up-to-date with the latest anti-virus software."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.