Windows Updates of Late - KB977165 and More

[MageMaster]

I am posting this thread because of the problems reported in this
Newsgroup about KB977165 and possibly others, released appx 2/10/2010.
Most reported by professionals about "clients" getting the BSoD.

Note the thread...
http://groups.google.com/group/micr...hl=en&lnk=gst&q=help+network#6b76aef1e5eb087c

....about NOT being able to "Disable Network Connection," which
occurred after the 2/10/2010 updates.

A quote from one post on KB977165:

"I had a problem with the downloads, also. I checked the ISC.SANS.ORG
website and found the suggestion to remove the atapi.sys and replace
it with the one in the SP3 download. I did that and things are back to
normal, including the KB977165 file and the rest of the updates. Hope
it helps you."

One has to wonder, as another post stated, "what's going on at
Microsoft." Especially after reading the above quote.

Just how well DOES Microsoft test updates? As evidenced by what has
happened, NOT will.

All software engineers/departments need to take into account that
WORLD-WIDE legacy hardware is the rule.

Not everyone in the world has updated hardware. I would bet the
majority do not. Therefore any software like Microsoft updates NEED to
be test against legacy hardware.

For example, the "Disable Network Connection" problem I suspect is due
to the VIA Rhine II Network Adapter (on-board) on my home system. That
is, did Microsoft test updates on systems using old VIA Chipsets?
Especially considering that VIA is prevalent in Europe.

 

[glee]

You apparently haven't done enough research. The BSoD associated with
KB977165 were due to the computers involved being infected with a TDSS
rootkit variant....it isn't the fault of the patch but of the rootkit.
I had one system to fix due to the BSoD and although we were sure it was
clean, it indeed did have the infected atapi.sys as described.

Tidserv and MS10-015 | Symantec Connect
http://www.symantec.com/connect/blogs/tidserv-and-ms10-015

 

[Percival P. Cassidy]

... The BSoD associated with
KB977165 were due to the computers involved being infected with a TDSS
rootkit variant....it isn't the fault of the patch but of the rootkit. I
had one system to fix due to the BSoD and although we were sure it was
clean, it indeed did have the infected atapi.sys as described.

But am I right in thinking that KB977165 has been withdrawn anyway? I
did not install it on my XP Home system because I wanted to check for
the presence of rootkits first.

Now that I am ready to install it (after creating a Restore Point), it
is no longer showing in Windows Update anyway. Nor is it listed in my
update history -- which I checked to make sure that it hadn't been
installed automatically.

Perce

 

[Jose]

But am I right in thinking that KB977165 has been withdrawn anyway? I
did not install it on my XP Home system because I wanted to check for
the presence of rootkits first.

Now that I am ready to install it (after creating a Restore Point), it
is no longer showing in Windows Update anyway. Nor is it listed in my
update history -- which I checked to make sure that it hadn't been
installed automatically.

Perce

One theory is that the file atapi.sys was afflicted. Usually in c:
\windows\system32\drivers...

If you think this or any other file is suspicious and nothing has been
detected by your usual scanning methods, have it checked out:

Online virus scanning engines:

http://www.virustotal.com/ (40+ scanners)
http://virusscan.jotti.org/en (20+ scanners)

I have yet to actually see this problem, but would welcome the
diversion.

If you encounter the problem the symptom is being unable to boot so
having a Restore Point will not help you much, but it is a good idea.
You need to be able to boot into Recovery Console to uninstall the
update (at least that is the popular solution for now).

If you would like to create a bootable RC CD just in case or to add to
your XP troubleshooting toolbox, here are some instructions:

You can create a bootable XP Recovery Console CD when no XP media is
available:

http://www.bleepingcomputer.com/forums/topic276527.html

 

[Daave]

But am I right in thinking that KB977165 has been withdrawn anyway?

It's still available. It's just not being pushed by Automatic Updates at
this time.

 

[glee]

As someone else mentioned, it is still available as a download but is
temporarily not being pushed by Windows Update (presumably to give
people time to detect and remove rootkits).

There's a good updated blog entry on the issue here:

The Microsoft Security Response Center (MSRC) : Update - Restart Issues
After Installing MS10-015 and the Alureon Rootkit
http://blogs.technet.com/msrc/archi...talling-ms10-015-and-the-alureon-rootkit.aspx


Another poster stated in a reply in this thread that you could submit
the suspect file to online analysis for detection. Unfortunately this
may not be successful, as the rootkit in question has the ability to
present the user with the uninfected version of the file, if an attempt
it made to copy it. You *may or may not* be able to upload the infected
version directly from the infected machine for the same reason.
Checking the sha1sum or md5 hash of the file also does not always
work...the rootkit again has the ability to present the uninfected
version to the user, while hiding the infected version actually in use.

The common target file for this infection is the atapi.sys, but other
files have been targeted on some systems.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A