One user reported that the rootkit was able to hide the infected file (in his case atapi.sys) from his Mcafee antivirus, but when he removed the hard drive and scanned it from another computer as a secondary drive, Mcafee found the rootkit as soon as he accessed the file (atapi.sys). In his case he got the bluescreen but then uninstalled the MS10-015 patch by booting from a recovery CD. The computer appeared to be OK, but still had the rootkit installed.
Check it out near the end of these blog comments: http://isc.sans.org/diary.html?storyid=8209 From: Marc Maiffret [mailto:marc.maiff...@fireeye.com] Sent: Friday, February 12, 2010 6:17 PM To: NT System Admin Issues Subject: BSOD MS10-015 I know it was mentioned here before but it has now been confirmed through multiple sources that the blue screen issues that are happening as it relates to MS10-015 are because of rootkits be installed on machines. So for those of you whom posted, or whom have seen it in your environment, that your system is blue screening after this patch there is a high degree of certainty that your computers are in fact compromised and backdoored with a rootkit. I would not simply just wipe and reimage a machine but investigate a bit to know what may or may not have been stolen from your organization etc... I am still looking for a few live systems to play with so if you had a system with this issue or are having a system with this issue I'd be happy to take a look for you. -Marc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
