Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
13494 Views 19 Replies Latest reply: Dec 12, 2011 2:13 PM by Peacekeeper RSS 1 2 Previous Next
bird2010 Newcomer 8 posts since
Oct 23, 2011
Currently Being Moderated

Oct 23, 2011 2:52 PM

BIOS Virus - HELP!

I am incredibly frustrated with this BIOS virus.  Please help!

 

When I insert a disk that is bootable, the virus writes to the disk -- I believe to the MBR.  I finally figured out that this is a virus after I lost three computers!!!  I initially thought that I was having hardware issues so I replaced drives and tried to re-image the drive.  Every time I attached a bootable drive, the BIOS "lost" it.  In other words, the BIOS would see the drive unless it was bootable.  As soon as I attached a bootable drive, it would lock up as Windows was installing.  Then, when I rebooted it, the BIOS would not be able see it.  I bought a new power supply and new disks.  I moved cables around and I finally figured out that it is a virus.

 

Now, here is the problem.  If I clear the CMOS using the jumper and disconnect all drives except the CD-RW, the BIOS recognizes the CD with no problems and the installation or system repair disks boot up.  HOWEVER, if I plug in an infected drive and turn on the computer, the computer locks up because the virus on the drive is trying to write to the BIOS.  I locked the BIOS with a password, so the computer locks up now as the virus tries to rewrite my BIOS.

 

I do not want to throw away six (6) hard drives since a couple of them are terabyte drives.  More importantly, I do not want to throw away my USB drive since it has my backup data.  I thought I was being smart by keeping a backup on this USB drive.  All of these drives have touched the infected systems so I am scared of spreading this virus and losing more hard drives.

 

How do I kill a BIOS virus that writes to the MBR of a hard drive?  Every time the hard drive is attached to a computer, the virus is spread BEFORE the OS can turn on to run AntiVirus software.  If McAfee is on a bootable CD, the CD boots AS LONG AS THE INFECTED HARD DRIVE IS NOT ATTACHED.  However, if I plug in one of the infected hard drives, the virus runs as the hard drive is being recognized by the BIOS and the virus disables all drives that are bootable, including the bootable CD with McAfee.

 

I can clear my CMOS with a jumper, but I cannot find a way to clear the MBR of a hard drive.  Help!

  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Oct 23, 2011 4:30 PM (in response to bird2010)
    Re: BIOS Virus - HELP!

    This is one of those questions that probably needs to be asked in a specialist forum like MajorGeeks or BleepingComputer - or even Microsoft - although which specialist forum you need there I'm not sure; possibly SysInternals, where there are some good tech experts.

     

    It sounds as if you've been attacked by Trojan.Mebromi (see this report in The Register, from September : "BIOS Rootkit Discovered").

     

    There are some tools which will (or should) fix the problem with MBR. I assume you've been looking, so if you've already tried these and they don't work ... well, you need an expert to advise you.

     

    For XP, see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/b ootcons_fixmbr.mspx?mfr=true

    For Vista, see http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

    For Windows 7 see http://support.microsoft.com/kb/927392

     

    This could be a tricky one to get rid of, according to the researchers :

    "Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all."

     

    He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on an EEPROM, or electronically erasable programmable read-only-memory chip, modifications have the potential to render a computer largely inoperable with no easy way to fix it.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    2. Oct 23, 2011 7:18 PM (in response to bird2010)
    Re: BIOS Virus - HELP!

    More on this : the MBR can be cleaned, that's relatively easy.

     

    If a rootkit has already modified your BIOS then you have a problem, and may need to work with the manufacturer of your motherboard to correct this (as the quote in the post above says). However, if this is the Mebromi Trojan then apparently it is specific to the Award BIOS. If yours is different then it's probably not Mebromi but something like TDL4 (see this article).

     

    (The name by which Mebromi is known to McAfee is "Boiskit.a!BB5511A6586​B" (which makes sense if you assume that it's a typo for "Bioskit"). There's a description and removal guide HERE).

     

    If this is a rootkit infection I would be inclined to recommend some extra tools to deal with it, such as GMER and FixMBR; the specialist forums have an arsenal of tools they recommend but I'm not familiar with most of them.

     

    To clean your infected hard drives you will probably have to attach them as slave drives.

     

    If you make any progress with this, please let us know. You can of course always request assistance from McAfee tech support, but you'll probably have to pay for that.

     

    Message was edited by: Hayton - add TDL4, make more succint - on 24/10/11 01:18:05 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    4. Oct 24, 2011 1:31 PM (in response to bird2010)
    Re: BIOS Virus - HELP!

    Tsk. Shazbot. Try this link (in full) : http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=584636

     

    There are 4 other "Boiskit" entries. I haven't checked them all. Don't expect anything exciting in the Removal section, it just says disable System Restore and run a scan. Hence my advice about other tools you might need.

     

    When you say "plug in" a drive are you attaching it as a slave drive? I can understand the problem as you describe it, but I haven't seen anything like this before. You are going to need someone who understands the low-level stuff better than I do (I can get by most of the time but I'm not an expert). If you need expert help from someone who knows the BIOS you need to get someone in from American MegaTrends. I don't see a forum on their site but the support page is at http://www.ami.com/support/

     

    There is a forum (HERE) where some very knowledgeable people gather, and they have been discussing the new BIOS rootkits. I think they would be interested and might be able to help you (certainly more than I can).

    Default Re: Mebromi, a bios-flashing trojan


    Let's assume all other protections fail. Does password-protecting the BIOS defeat this threat?

     

    Default Re: Mebromi, a bios-flashing trojan


    IDK. I doubt it, you don't need a password to flash your BIOS just Admin access.

    I have mine password protected though.

     

    If you go there I suggest you just cut & paste your messages from this thread. They're pretty informative.

     

    One last thing : you've got Enterprise 8.7i - which means I'm going to have to pass you on to whoever's working on the corporate side of things. I would think McAfee would like to have a look at this even if only to get a sample of the malware for analysis.

     

    Edit - Not a big move, it turns out. You just get moved sideways to Corporate Malware Assistance. I can still keep an eye on the thread.

     

    Message was edited by: Hayton on 24/10/11 04:46:36 IST

     

    Message was edited by: Hayton : correcting Wilders link to point to malware section - on 24/10/11 19:31:37 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Oct 23, 2011 10:48 PM (in response to Hayton)
    Re: BIOS Virus - HELP!

    ... and moved into Corporate User Assistance, if anyone would like to take this over?


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Ex_Brit Volunteer Moderator 59,556 posts since
    May 6, 2004
    Currently Being Moderated
    6. Oct 24, 2011 7:18 AM (in response to Hayton)
    Re: BIOS Virus - HELP!

    Just a quick comment, a BIOS problem should be easily fixed by flashing the BIOS as doing that wipes it clean before installing the new version.    If there is no new version simply re-flash with the same one.   I think this would be best dealt with by one of those specialist forums Hayton mentioned earlier as McAfee virus removal service isn't cheap.

     

    As far as bootable media installing an infection then that should again be easy enough to cure.  Discard that bootable media or at least cleanse it of whatever malware it contains.

     

    As far as hardware failure (drives constantly getting shot) is concerned that is the purview of a PC help forum, not this one, however, a hard drive, malware infection or not, should last at least a year under extremely heavy use and hopefully much, much longer.

     

    I've found through trial and error that it is best to buy the best and not try to save a few pennies when it comes to hardware.  Not that you've done that, I am just stating my findings.

     

    Good luck ;-)

     


     

    Message was edited by: Ex_Brit on 24/10/11 8:18:10 EDT AM

    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Ex_Brit Volunteer Moderator 59,556 posts since
    May 6, 2004
    Currently Being Moderated
    8. Oct 24, 2011 12:42 PM (in response to bird2010)
    Re: BIOS Virus - HELP!

    Clearing the CMOS merely resets the existing BIOS to its default settings.  So in fact all along you haven't been clearing it out at all.   it does not erase it and reinstall it.  To flash the BIOS you need to go to the motherboard maker's website and download the latest for that board.   Then follow their instructions on how to flash the BIOS.  On my ASUS board there is a utility that does it much like installing an update.

     

    Regarding the removable and fixed media, simply scanning with the appopriate tools should do the trick but I would rely on guidance from BleepingComputer Forums or similar on that.

     

    I suspect that this is simply a corrupted BIOS but coiuld be wrong.


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points