cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: BIOS Virus - HELP!

Jump to solution

Then perhaps tyry attaching that hard drive as a slave to another machine to get it scanned.

Actually if it was my machine I'd take it to the nearest PC repair shop as this all would be beyond me I'm afraid.

Former Member
Not applicable
Report Inappropriate Content
Message 12 of 20

Re: BIOS Virus - HELP!

Jump to solution

If I attach it to another computer as a slave, the "another computer" will get infected.  I have three computers down to prove it.  I believe that I transfered the virus around to the computers using my portable USB hard drive.

I may end up taking the portable USB hard drive to a repair shop and seeing if they can recover my data.  I just hate to give up and throw away hundreds of dollars in hard drives and then also pay for a repair bill that may or may not work.

Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 13 of 20

Re: BIOS Virus - HELP!

Jump to solution

I've put in a note about this problem for the call tonight. Maybe one of the McAfee technical people on the call will have some ideas. If not, the links I gave above to American MegaTrends and to Wilders Security Forum are probably your best bet. Some of the contributors to that forum are dedicated low-level code experts, and they're currently interested in BIOS rootkits; one of them was asking about how to get hold of a sample. Give them a try, or else try BleepingComputer or TomsHardware.

Edit - I've changed the Wilders link so that it points correctly to the malware section.

Message was edited by: Hayton on 24/10/11 19:32:48 IST
Former Member
Not applicable
Report Inappropriate Content
Message 14 of 20

Re: BIOS Virus - HELP!

Jump to solution

Hi Hayton

I have a really bad version of this malware and I've been pulling my hair out for months.  I'm going to reflash the bios in everything and trash all of my data.  I printed off my documents and that's all that I am worried about.

There is another twist to this thing.  Apparently, any laptop made after 2005 with Phoenix bios has the code for anti-theft software sitting in the bios and it's supposed to remain dormant unless activated by a subscription.  Here's a link to a paper presented at Black Hat 2009.  hxxp://www.coresecurity.com/content/Deactivate-the-Rootkit.  This "security software" is similar to LoJack for laptops and it is easily exploited to allow the malware to cross the firewall and have unfettered access to the hard drive.

I think that I have something like this going on in my notebook.  I put in the Windows disk, then the antivirus, both from factory disks.  The AV immediately updated as soon as I plugged in the cable.  I checked the firewall/HIPS logs and whatever this creepy thing is, it was already trying to establish a connection every tenth of a second.  Lol, I nearly smashed the laptop once.  All I did was put in the Windows disk and all of a sudden, the notebook had a connection to the internet!  It was downloading Windows updates and I didin't even have a network card driver installed.  The bluetooth in the notebook was hooking the bluetooth in my iPhone, without pairing, and grabbing the 3G connection. 

I could go on for a couple hours about everything that I have seen this horrible malware do.  I've never seen anything like this in my life!

Now, I would like to get a sample of this to someone who may be interested.  What exactly do I need to do?  I do have a switch with port-mirroring capabilities.  I could capture a sample of the traffic with Wireshark.  Apparently, it knows about Snort and if it detects it, it will shut itself down.

Let me what I have to do.  I'd like to help out in any way that I can. This thing is a nightmare.

Re: BIOS Virus - HELP!

Jump to solution

While awaiting peter to reply I have pinged a lab tech to see if he is interested in the sample and how to get it.

Re: BIOS Virus - HELP!

Jump to solution

You have not said what the virus was called? Are you saying it is new?.

For viruses which infect the MBR, booting from a WinXP recovery disk and running the FixMBR command will restore the MBR and is the standard process.

Former Member
Not applicable
Report Inappropriate Content
Message 17 of 20

Re: BIOS Virus - HELP!

Jump to solution

hi please bare with me this is the first time on this site. i have just gone through the same boot deal as you. After 9 hdds and a new comnputer I figured it out. I started pausing from the bios splash screen and watched it load(about 5billion times lol) this is trully a nasty one did you notice it hides a small partition? I must have fdisked 30 times.I started with f-8,then f-5  but it beat me to the punch every time. This is how i got rid of it on 2 of 5 computers so far. When I bought the last computer (win 7 preloaded) first thing I did was load McAfee updated EVERYTHING Second I set An infected hdd up as a slave and cloned the win 7 disk to the slave. I didn't want to attempt it for I went about 5 weeks w/nadda but most of the hdds were 2,3,4 tyb's so far the 2 have been clean for over a mounth oh I got the clone free from c-net. I did spend a bunch on this one though man it was bad. Good luck  be happy to help if theres any q's just drop an e-m sorry bout the typing (not to good it it lol) Have a great day  WILLY

Former Member
Not applicable
Report Inappropriate Content
Message 18 of 20

Re: BIOS Virus - HELP!

Jump to solution

YEA!!!  I finally did it.  Okay, everyone, here is the solution.  The best part of this solution is that I was able to keep all of my data!!!!  YEA!!!!

I tried to attached the infected drive as a slave so I could run a virus scanner on the infected drive.  However, this is a really bad BIOS virus AND it writes to the MBR of the infected hard drives.  So, when I booted up the computer with a clean boot drive and the infected drive as a slave, the computer would freeze for a minute (60 full seconds) on the POST screen.  Then, the computer would claim that I do not have any drives attached to my computer!!!!  In other words, the virus would infect the clean drive BEFORE it was able to boot (POST SCREEN).  This happened because the BIOS would look for drives.   When it hit the infected drive, it would read the MBR and BAM!!!, the MBR would infect the BIOS, which would then infect the clean hard drive.  I would use the CLEAR_CMOS jumper on the motherboard to clear the virus out of the BIOS.  However, every time I tried to run with an infected drive attached as master or as slave, the BIOS would be re-infected.  If you read this thread, you also know that I could not see the CD-RW when the BIOS was infected so I could not run a CD with antivirus against the infected drive.  DAMN!  This is a very bad BIOS / MBR virus.

I then launched a clean Windows with a virus scanner.  Then, while Windows was running, I plugged in the infected drive with the hope that I could see and clean the drive before the MBR infected the clean drive.  However, no matter what I did, I could not get the infected drive to show up on the Windows machine.  I unplugged the infected drive and turned off the computer and used the CLEAR_CMOS jumper to be sure the BIOS did not get infected by the attached infected drive.  I rebooted the computer WITHOUT the infected drive and my clean Windows drive was still clean.

The epiphany came when I realized that this virus is a Windows virus.  So, I decided to hit it with Linux.  I tried the McAfee Rescue disk, but it was Windows based and did not work.  I tried the Kaspersky Rescue Disk, which is Linux based, but it did not work.  I finally tried the BitDefender Rescue Disk and it worked!!!!  YEA!!!  Thank you BitDefender!!!

Here are the steps:

* Using a clean computer, download the free "BitDefender Rescue Disk" and create a CD from the ISO file that you download.  If this link does not work, simply google for it. Make sure you download the ISO from BitDefender's website and not some hacker's website:  http://www.bitdefender.com/support/How-to-create-a-BitDefender-Rescue-CD-627.html

* Using a clean computer, download "Parted Magic", which is a free disk partitioning tool that is written on Linux:  http://www.livecdlist.com/  then scroll down to "Parted Magic".  Download the ISO and then burn it to a CD.

* Clear the BIOS by physically moving the CLEAR_CMOS (or CLRCMOS) jumper.  Refer to the motherboard user's manual for the jumper's location.

* Make sure all drives are unplugged except the CD-RW (or DVD-R).  Then, put the BitDefender Rescue Disk in the CD-RW as you turn on the computer.

* Let the "BitDefender Rescue Disk" to boot up and then it should automatically update its virus database.

* After BitDefender has updated, and while BitDefender is running, plug in the infected hard drive (PATA or SATA).  Give it a few minutes to "see" the drive.

* If BitDefender Scanner window is closed, double-click the BitDefender Scanner icon on the Linux desktop.

* Click the "Scan Now" button

* Click "File System" on the left

* Click "Open" on the bottom, right and the scanner starts scanning.  This will take a long time on a Terabyte hard drive (2 hours for me).  You will get a lot of I/O errors while the scanner fights with the MBR virus.  I got 399 I/O errors!  If the screen locks up, don't worry about it.  Go away and grab dinner, curse at the person/people who wrote this damn virus, and come back in about 2 hours.

* When BitDefender finishes, click the Finish button, then the Done button.  Click the Shutdown icon on the right side of the task bar, which is located at the bottom of the screen.

* If your computer is still locked up after 2 hours, press and hold the power button on your computer to do a hard boot.  I had to do this step on one of my infected hard drives.  The process still worked on it.  Apparently, BitDefender was still able to kill the virus even though it looked like it locked up.

* BitDefender found 92 issues.  All of them were similar to this:

Gen: Trojan.Heur.JP.Ju2@akWcCegi

Gen: Trojan.Heur.LP.008@amBBdZe

... and 90 more messages similar to these two.

* Restart your computer with BitDefender still in the CD-RW and the infected drive attached.  Hit F11 or the boot menu key  for your BIOS and make sure you boot off the CD-RW.  After BitDefender boots up and updates its virus database, hit the "Scan Now" button and scan everything again.  Look for I/O errors that may indicated "inaccessible" or "password protected" files

* After the second scan process is completed (and possibly a reboot and then a third scan process if you feel it is necessary), you need to clean "inaccessible" or "password protected" files.  The infected drive should show up on the BitDefender's Linux desktop at the top, left side of the screen.  Double-click on the icon and find the i/o error files.  Select the file and HOLD DOWN THE SHIFT KEY while you press the Delete key.  It will ask you if you want to permanently delete the file.  Hit "Yes".  The "password protected" files for me were in the _restore folder.  Yea, I'm going to do an accidental restore and get the virus restored back to my computer!!!  HELL NO!!!  Damn virus and DAMN CREATORS of the virus.

* Now is time to use the Parted Magic CD that you created.  Put the Parted Magic in the CD-RW drive as you boot the computer.  When Parted Magic fully boots, change to the "cleaned" drive by clicking the dropdown selector near the top, right side.  You will see 2 mb of open space on the right side.  Click the Resize button near the top.  Click the middle space selectors to increase the size of the used space.  As you increase the size, the right side side unpartitioned space will go down to zero.  You should have zero space before you main partition and zero space after your main partition.  Click the Apply button.  After the process completes, click the LogOff | Shutdown icon on the task bar at the bottom of the screen.

* After you clean your drive and got rid of the small unpartitioned space, attach the now cleaned drive as a slave on a clean computer.  Just to be sure, I got a cheap drive and installed Windows on it.  This way, if I attached the supposedly "cleaned" drive and had problems, I would only lose a cheap drive.  However, it worked perfectly!  I ran a virus scanner against the slave drive and it found nothing wrong.  I opend the drive and copied my critical files to a USB hard drive, just to be safe.  You should do the same.  Take this time now to copy your critical data to a USB drive in case you cannot boot from the now cleanded drive.  I also deleted a few suspicious files, including a folder that gave me an "access denied" error.  I googled to find out how to take control of an "access denied" folder, I took control, and then I deleted it.

So far, everything is working perfectly!  I have all of my drives back, including my two Terabyte drives, with all of the data intact.  YEA!!!!

Just a quick heads up.  I tried to boot one of my boot drives (PATA) and it would not boot.  I used the Windows XP installation disk to run the repair function.  It still did not work properly after successfully "repairing" it.  I did not have any important data on it so I just formatted it and re-installed Windows XP.  On my second boot drive (SATA), I tried to get it into the Windows operating system, but it would not work.  I tried to do a Windows XP installation repair function, but I kept getting the "blue screen of death".  I finally gave up and simply installed a clean copy of Windows 7.  On the boot drive for my third computer (SATA), I did not bother trying to run it.  Instead, I just wiped it out and installed a fresh copy of Windows XP.  On all three computers, I had the data backed up from the process above.  In addition, my backup data was available on my cleaned USB hard drive.  I had to re-install the applications, but at least I got my drives and my data back.

Message was edited by: bird2010 on 10/28/11 12:00:12 PM CDT
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 19 of 20

Re: BIOS Virus - HELP!

Jump to solution

Now, that's what I call an epic. Congratulations on figuring it all out. No doubt McAfee would have liked to grab the infected files for analysis, but I bet you're just glad to be rid of them all. If you can find any more of those detections though (you gave 2 examples out of 90) I'd like to go and investigate them and see who else has been hit by this.

Former Member
Not applicable
Report Inappropriate Content
Message 20 of 20

Re: BIOS Virus - HELP!

Jump to solution

Help!  I think I have this too.  I have all the symptoms - drives undetected unless I refresh CMOS, try to recover but disk doesn't seem to work anymore.  Here's my problem.  I followed these directions, but made a mistake.  While using the bit defender rescue disk I was trying to scan my old hard drive that I had reformatted when I mistakenly thought my old HD went bad.  Unfortunately I accidentally plugged the SATA cable from the old hd Into my new hard drive (also bought when I thought the old went bad).  I saw my mistake and switched the cables after a scan and bit defender didn't pick up much since I had  wiped one and the other was out of the box.  Ater installing the new one i checked bios and it was properly detecting both hard drives.  I tried to start all over again to make sure the old hd was scanned properly, but when I tried to reboot into bit defender i had problems.  I'd get to the screen where it asks me the language, but when I select English it then hangs on the black screen with the bitdefender logo.  After a few minutes thescreen will flicker, but the Linux desktop never returns.  I've never gotten it to work since the first time.  What happened?  This last tiime the bit defender logo  hung for a while then asked for a password.  The username was bitdefender.  Totally stumped.

Are there any other options?  I can't find a bios update for my motherboard so flashing it is out of the question I think.

Are the any other rescue disks I can use?  I tried three new disks from the iso, but None work.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community