1 2 Previous Next 19 Replies Latest reply: Dec 12, 2011 2:13 PM by Peacekeeper RSS

    BIOS Virus - HELP!

    bird2010

      I am incredibly frustrated with this BIOS virus.  Please help!

       

      When I insert a disk that is bootable, the virus writes to the disk -- I believe to the MBR.  I finally figured out that this is a virus after I lost three computers!!!  I initially thought that I was having hardware issues so I replaced drives and tried to re-image the drive.  Every time I attached a bootable drive, the BIOS "lost" it.  In other words, the BIOS would see the drive unless it was bootable.  As soon as I attached a bootable drive, it would lock up as Windows was installing.  Then, when I rebooted it, the BIOS would not be able see it.  I bought a new power supply and new disks.  I moved cables around and I finally figured out that it is a virus.

       

      Now, here is the problem.  If I clear the CMOS using the jumper and disconnect all drives except the CD-RW, the BIOS recognizes the CD with no problems and the installation or system repair disks boot up.  HOWEVER, if I plug in an infected drive and turn on the computer, the computer locks up because the virus on the drive is trying to write to the BIOS.  I locked the BIOS with a password, so the computer locks up now as the virus tries to rewrite my BIOS.

       

      I do not want to throw away six (6) hard drives since a couple of them are terabyte drives.  More importantly, I do not want to throw away my USB drive since it has my backup data.  I thought I was being smart by keeping a backup on this USB drive.  All of these drives have touched the infected systems so I am scared of spreading this virus and losing more hard drives.

       

      How do I kill a BIOS virus that writes to the MBR of a hard drive?  Every time the hard drive is attached to a computer, the virus is spread BEFORE the OS can turn on to run AntiVirus software.  If McAfee is on a bootable CD, the CD boots AS LONG AS THE INFECTED HARD DRIVE IS NOT ATTACHED.  However, if I plug in one of the infected hard drives, the virus runs as the hard drive is being recognized by the BIOS and the virus disables all drives that are bootable, including the bootable CD with McAfee.

       

      I can clear my CMOS with a jumper, but I cannot find a way to clear the MBR of a hard drive.  Help!

        • 1. Re: BIOS Virus - HELP!
          Hayton

          This is one of those questions that probably needs to be asked in a specialist forum like MajorGeeks or BleepingComputer - or even Microsoft - although which specialist forum you need there I'm not sure; possibly SysInternals, where there are some good tech experts.

           

          It sounds as if you've been attacked by Trojan.Mebromi (see this report in The Register, from September : "BIOS Rootkit Discovered").

           

          There are some tools which will (or should) fix the problem with MBR. I assume you've been looking, so if you've already tried these and they don't work ... well, you need an expert to advise you.

           

          For XP, see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/b ootcons_fixmbr.mspx?mfr=true

          For Vista, see http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

          For Windows 7 see http://support.microsoft.com/kb/927392

           

          This could be a tricky one to get rid of, according to the researchers :

          "Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all."

           

          He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on an EEPROM, or electronically erasable programmable read-only-memory chip, modifications have the potential to render a computer largely inoperable with no easy way to fix it.

          • 2. Re: BIOS Virus - HELP!
            Hayton

            More on this : the MBR can be cleaned, that's relatively easy.

             

            If a rootkit has already modified your BIOS then you have a problem, and may need to work with the manufacturer of your motherboard to correct this (as the quote in the post above says). However, if this is the Mebromi Trojan then apparently it is specific to the Award BIOS. If yours is different then it's probably not Mebromi but something like TDL4 (see this article).

             

            (The name by which Mebromi is known to McAfee is "Boiskit.a!BB5511A6586B" (which makes sense if you assume that it's a typo for "Bioskit"). There's a description and removal guide HERE).

             

            If this is a rootkit infection I would be inclined to recommend some extra tools to deal with it, such as GMER and FixMBR; the specialist forums have an arsenal of tools they recommend but I'm not familiar with most of them.

             

            To clean your infected hard drives you will probably have to attach them as slave drives.

             

            If you make any progress with this, please let us know. You can of course always request assistance from McAfee tech support, but you'll probably have to pay for that.

             

            Message was edited by: Hayton - add TDL4, make more succint - on 24/10/11 01:18:05 IST
            • 3. Re: BIOS Virus - HELP!
              bird2010

              Thank you for your quick answer.  Two problems:

               

              First, this link link is broken:

              (The name by which Mebromi is known to McAfee is "Boiskit.a!BB5511A6586B" (which makes sense if you assume that it's a typo for "Bioskit"). There's a description and removal guide HERE).

              I would like to try the instructions in the removal guide.  What is the correct link?  Thanks.

               

              The second issue is that I do not believe that I ahve the TDL4 virus.  I have something similar.  However, the virus that I have takes the computer down completely.  If my computer is completely down and does not boot, the infection does not provide value to the cybercrooks like the article mentions for the TDL4 virus.  My computers are completely dead -- they do not boot.

               

              Here is what happens.

               

              * I unplug all hard drives and USB drives.  However, I leave the CD-RW plugged in.

               

              * I physically move the pin on the jumper to clear the CMOS.  This clears the BIOS c ompletely and restores it to factory setting.

               

              * I turn on the computer and go directly into the BIOS.  I enable "BIOS Flash Protection" and I add a password to the BIOS ("BIOS Password Check").  I save the BIOS, which reboots the computer.  My BIOS is American Megatrends v02.61

               

              * I can put stand-alone anti-virus disks, Windows XP, Windows 7, or any other disk into the CD-RW drive.  I even tried the McAfee solution called "Secured2k BootCD". When the computer boots, it runs perfectly.  HOWEVER, there are no hard drives or USB drives for the disks to scan or fix.

               

              * So, I shut off the computer.  Remember the BIOS Flash Protection and password are active.  Then, I plug in the infected hard drive (PATA or SATA - I infected six hard drives as I attempted to fix the problem since I originally thought this was a hardware problem).

               

              * I turn on the computer with an infected drive attached.  The computer freezes on the POST screen for about one full minute.  Then the computer continues to run.  I get an error "Insert Boot Media".  Remember, I just ran boot media from the CD-RW drive.  The only thing that I changed was added a hard drive (or plugged in an infected USB drive).  I reboot the computer and hit F11 for the Boot Menu.  NOTHING shows up!  The CD-RW and hard drive are literally GONE!  I reboot and go into the BIOS and NOTHING is attached according to the BIOS.  Remember, I had BIOS Flash Protection and BIOS Password enabled.

               

              I took these exact steps with different hard drives and with USB drives that I used as boot media.  This is one insane virus.  I have three dead computers.  I might be able to save the computers by flashing their BIOS and putting new hard drives.  I'm going to buy a cheap drive tomorrow and see if I can save the computers.  However, I have six dead hard drives. Two dead USB drives.  One dead USB hard drive with ALL of my critical backup files.  If I cannot find out how to kill this damn virus, I will drop over five hundred dollars into the trash. In addition, I will lose ALL of my data since my backup drive is also infected.

               

              Now, the worst part.  I teach programming.  I probably got this virus from one of my students.  I accept their work on USB drives and I rely on McAfee Enterprise 8.7i to protect my system.  If this virus can knock me down like this, then it is a severe issue that is going to destroy the average user.  Any drive -- USB, portable hard drive, etc -- that touches an infected system will pass the virus to other systems.  If the drive is NOT a boot drive, the virus jumps on and infects every drive that it touches.  If the drive is a bootable drive, it hits the BIOS and makes all the bootable drives on that computer disappear in the BIOS.

               

              Please help.

              • 4. Re: BIOS Virus - HELP!
                Hayton

                Tsk. Shazbot. Try this link (in full) : http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=584636

                 

                There are 4 other "Boiskit" entries. I haven't checked them all. Don't expect anything exciting in the Removal section, it just says disable System Restore and run a scan. Hence my advice about other tools you might need.

                 

                When you say "plug in" a drive are you attaching it as a slave drive? I can understand the problem as you describe it, but I haven't seen anything like this before. You are going to need someone who understands the low-level stuff better than I do (I can get by most of the time but I'm not an expert). If you need expert help from someone who knows the BIOS you need to get someone in from American MegaTrends. I don't see a forum on their site but the support page is at http://www.ami.com/support/

                 

                There is a forum (HERE) where some very knowledgeable people gather, and they have been discussing the new BIOS rootkits. I think they would be interested and might be able to help you (certainly more than I can).

                Default Re: Mebromi, a bios-flashing trojan


                Let's assume all other protections fail. Does password-protecting the BIOS defeat this threat?

                 

                Default Re: Mebromi, a bios-flashing trojan


                IDK. I doubt it, you don't need a password to flash your BIOS just Admin access.

                I have mine password protected though.

                 

                If you go there I suggest you just cut & paste your messages from this thread. They're pretty informative.

                 

                One last thing : you've got Enterprise 8.7i - which means I'm going to have to pass you on to whoever's working on the corporate side of things. I would think McAfee would like to have a look at this even if only to get a sample of the malware for analysis.

                 

                Edit - Not a big move, it turns out. You just get moved sideways to Corporate Malware Assistance. I can still keep an eye on the thread.

                 

                Message was edited by: Hayton on 24/10/11 04:46:36 IST

                 

                Message was edited by: Hayton : correcting Wilders link to point to malware section - on 24/10/11 19:31:37 IST
                • 5. Re: BIOS Virus - HELP!
                  Hayton

                  ... and moved into Corporate User Assistance, if anyone would like to take this over?

                  • 6. Re: BIOS Virus - HELP!
                    Ex_Brit

                    Just a quick comment, a BIOS problem should be easily fixed by flashing the BIOS as doing that wipes it clean before installing the new version.    If there is no new version simply re-flash with the same one.   I think this would be best dealt with by one of those specialist forums Hayton mentioned earlier as McAfee virus removal service isn't cheap.

                     

                    As far as bootable media installing an infection then that should again be easy enough to cure.  Discard that bootable media or at least cleanse it of whatever malware it contains.

                     

                    As far as hardware failure (drives constantly getting shot) is concerned that is the purview of a PC help forum, not this one, however, a hard drive, malware infection or not, should last at least a year under extremely heavy use and hopefully much, much longer.

                     

                    I've found through trial and error that it is best to buy the best and not try to save a few pennies when it comes to hardware.  Not that you've done that, I am just stating my findings.

                     

                    Good luck ;-)

                     


                     

                    Message was edited by: Ex_Brit on 24/10/11 8:18:10 EDT AM
                    • 7. Re: BIOS Virus - HELP!
                      bird2010

                      Ex_Brit wrote:

                       

                      Just a quick comment, a BIOS problem should be easily fixed by flashing the BIOS as doing that wipes it clean before installing the new version.    If there is no new version simply re-flash with the same one.   I think this would be best dealt with by one of those specialist forums Hayton mentioned earlier as McAfee virus removal service isn't cheap.

                       

                      I can flash the BIOS -- no problem.  I just phyically move the "CLEAR CMOS" jumper on the motherboard, count to 10, then put the jumper back.  If the infected hard drives are NOT attached, the system boots normally and the CD-RW works perfectly.  At this point, I can install a brand new hard drive and install Windows 7.  The computer works.  The problem is that I infected six hard drives including a couple of terabyte hard drives, a couple of USB drives, and, most importantly, my USB hard drive with all of my backup data.  I will be throwing away several hundred dollars in storage media.  Most important, though, is the backup data.  I thought I was being so smart by backing up all of my important data on a separate drive.  I cannot recreate some of this data.

                       

                      As far as bootable media installing an infection then that should again be easy enough to cure.  Discard that bootable media or at least cleanse it of whatever malware it contains.

                       

                      Two problems.  First, I will be throwing away hundreds of dollars of bootable media.  Okay, life goes on.  The most important problem, though is that I will lose my backup data.  Some of this data cannot be recreated and that is why I have it backed up on a separate drive -- actually two separate drives.  I have the original data on the main drive.  Then, I have the backup data on an internal storage drive (terabyte).  Then, I back up the critical data to my USB hard drive (500 GB).  ALL OF THESE DRIVES ARE INFECTED!!!  DAMN!!!!!

                       

                      I've found through trial and error that it is best to buy the best and not try to save a few pennies when it comes to hardware.  Not that you've done that, I am just stating my findings.

                       

                      I fully agree with you.  I do not buy cheap stuff.  I only buy Seagate and Western Digital drives.  Those are the only two hard drive brands that I trust.  I only buy MSI and ASUS motherboards.  I am moving exclusively to MSI motherboards because ASUS seams to be going down in quality.  My last ASUS motherboard had some problems.  All of my MSI motherboards work great.  I use NewEgg a lot.  I usually buy from NewEgg or Frys Electronics.  I only buy products after I have visited NewEgg and read the reviews.  My time is too valuable to waste on trying to get "cheap" stuff to work.  I want it to work on the first installation.  So, you can imagine my frustration with this virus and the amount of time that I am wasting trying to beat it.  I would have thrown everything away by now if I didn't have the critical data to recover.

                       

                      Good luck ;-)

                       

                      Thanks.  I need it.

                      • 8. Re: BIOS Virus - HELP!
                        Ex_Brit

                        Clearing the CMOS merely resets the existing BIOS to its default settings.  So in fact all along you haven't been clearing it out at all.   it does not erase it and reinstall it.  To flash the BIOS you need to go to the motherboard maker's website and download the latest for that board.   Then follow their instructions on how to flash the BIOS.  On my ASUS board there is a utility that does it much like installing an update.

                         

                        Regarding the removable and fixed media, simply scanning with the appopriate tools should do the trick but I would rely on guidance from BleepingComputer Forums or similar on that.

                         

                        I suspect that this is simply a corrupted BIOS but coiuld be wrong.

                        • 9. Re: BIOS Virus - HELP!
                          bird2010

                          Clearing the CMOS works on this virus because the system works perfectly every time I move the jumper to clear the CMOS and then move the jumper back.

                           

                          At the same time, I have also updated the BIOS using a bootable disk and the latest BIOS file from the MSI website.  I moved the jumper to clear the CMOS.  I used a bootable CD to update the BIOS with the latest one that I downloaded from MSI.  Still, nothing changed.  When I attach the infected hard drive, the POST screen freezes for about a minute and then the CD-RW and the infected hard drive do not appear in the boot menu and I get the error "Insert Boot Media".

                           

                          Here is my problem.  I accept projects from students on USB drives.  I thought I was protected by McAfee Enterprise 8.7i since I keep my DAT files updated.  I have to accept the files on USB drives because the projects are so large.  One project with assets can be 230 MB.  I can tell the students to upload the projects directly to our course management system (eCollege).  However, it takes a lot of time for them to upload the projects and a lot of time for me to download 22 huge projects every other week in order to grade them in addition to all of the other work that we do in the course.  I do not see any other alternatives that make sense.  I lose time downloading the projects or I lose time fighting a virus.  DAMN.

                           

                          on 10/24/11 1:13:28 PM CDT
                          1 2 Previous Next