February 11, 2010

Microsoft Update KB977165 triggering widespread BSOD

One of Microsoft's "Patch Tuesday" security fixes is triggering a widespread "Blue Screen of Death" problem.  The cause is not the update itself, but an existing infection.  So far, reports suggest that this problem affects Windows XP and Windows Vista. Once the update is applied and the system rebooted, Windows will bluescreen at boot.  When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied.

I have found that the root cause is an infection of %System32%\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally. This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens.  If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update.  If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer.

References:

http://isc.sans.org/diary.html?storyid=8209

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

Detailed Repair Instructions

Using the Windows XP Recovery Console

1. Boot from your Windows installation CD Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like "Press any key to boot from CD..." - press a key.

2. Start the Recovery Console After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing "R". Press "R" to launch the Recovery Console.

* You may be asked to choose a Windows installation. If so, choose the damaged installation (probably "1").

* You may be prompted for the Administrator password. If you do not have one, press "Enter".

3. Identify your CD drive letter You should now be at the command prompt. Enter the following command:

map

Look for the drive letter for your CD drive. It may look something like this:

D:\Device\CdRom0

In this case, your CD drive is "D:".

4. Replace ATAPI.SYS Enter the following, replacing "D:" with your CD drive:

cd system32\drivers

ren atapi.sys atapi.old

expand D:\i386\atapi.sy_

You should see the message "1 file(s) expanded." - this indicates you have succeeded.

5. Reboot and scan for malware Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software.

UPDATE:

An atapi.sys infection may not be the only cause of this blue screen. While it does seem to be the most common cause, other infected drivers or drivers that make incorrect references to the updated kernel bits may also cause blue screens after this update is applied. Make sure you scan any computer with up-to-date antivirus software that can detect rootkits and check for updated drivers for your computer before applying this update.

UPDATE 2:

I have placed these instructions on my wiki. Any further changes will be posted there.


Comments from this post were discarded during a website migration.


Tags: