It seems that a recent Windows “patch” has been the cause of a series of blue screen crashes after users install a so-called Microsoft security update. The said patch, MS10-015, is said to be linked to this system malfunction, which leaves user systems with blue-screen-of-death (BSoD) errors.

According to an entry in the official Microsoft Blog, the distribution of the said Windows Update has since been suspended.  However, the company also issued a statement that the cause of the BSoD error may be malware related.

Trend Micro engineers found that TROJ_TDSS.AJD patches atapi.sys, which turns the .SYS file into a rootkit detected as TROJ_TDSS.SME. This then causes updated systems to crash right after installing the security update.

Known for its ability to stealthily operate, TDSS variants are known malware components whose final payload comprises the malware’s careful, unseen operation. The discovery of new TROJ_TDSS.AJD samples even triggered Microsoft to release two important updates regarding the issue—Update—Restart Issues After Installing MS10-015 and the Alureon Rootkit and Restart Issues on an Alureon-Infected Machine After MS10-015 Is Applied to prevent further occurrences of BSoD crashes.

Trend Micro product users should not worry, however, as Smart Protection Network™ protects them from similar occurrences.

Update as of February 22, 2010, 1:17 a.m. (GMT +8:00):

Please note that TROJ_TDSS.AJD has recently been renamed to TROJ_TDSS.SMG.

Update as of February 23, 2010, 3:23 a.m. (GMT +8:00):

Please note that TROJ_TDSS.SME has recently been renamed to PE_TDSS.MTR, which is now detected by this tool.

Cybercriminals again exploited one of the most-awaited global sports events—the “2010 Vancouver Winter Olympics”—to propagate at least two of their malicious wares. They piggybacked on the Olympics fever to promote malware-ridden sites.

In an attempt to affect as many users as possible, cybercriminals poisoned Google search results regarding the upcoming event. As usual, clicking the malicious links to get the latest news lead to sites that either host a bogus Windows Media Player update (see Figure 1) or FAKEAV.

Trend Micro advanced threats researcher Norman Ingal found that sites that led to a bogus Windows Media Player update, which urged users to download player_update.exe-1, actually asked them to download a malicious .EXE file detected by Trend Micro as BKDR_INJECT.ANI (see Figure 2).

BKDR_INJECT.ANI drops an encrypted system file (config\qkqitqie.sav) onto affected systems then connects to the site http://{BLOCKED}ock.info/install/setup.php? to possibly download more malware.

The sites that lead to at least three FAKEAV variants (see Figure 3), on the other hand, download TROJ_FAKEVIME.AB, a FAKEAV component that connects to any of these two sites to download TROJ_FAKEAL.SMDP (aka Security Antivirus):

• http://{BLOCKED}system.in/index.php?controller=microinstaller&abbr=SAV&setupType=xp&ttl=21105299546&pid=
• http://{BLOCKED}dsystem.in/index.php?controller=mic oinstaller&abbr=SAV&setupType=xp&ttl=21105189b9a&pid=

TROJ_FAKEAL.SMDP, like previously featured FAKEAV variants, also uses scareware tactics to convince users of infected systems to download and ultimately purchase a rogue antivirus application (see Figures 4–10).

Fortunately, Trend Micro™ Smart Protection Network™ protects product users from these kinds of attack by blocking access to known malicious sites and domains via the Web reputation service by detecting and consequently deleting identified malware (i.e., BKDR_INJECT.ANI, TROJ_FAKEVIME.AB, and TROJ_FAKEAL.SMDP) from systems via the file reputation service.

Non-Trend Micro product users can stay protected as well with Web Protection Add-On, a free tool that is designed to block access attempts to potentially malicious websites in real-time.