BIOS Virus?

[bfindlay]

Wierdest behaviour I have ever heard of. I got infected with a trojan (virusblast) that tried to sell me software to 'clean up spypware and viruses'. (It WAS the viruse).

I flashed my BIOS to an updated version, then installed a new hard drive - formatted it, and installed WIndows. The install took far, far longer than it should - on the order of three hours or so. The computer is slow as molasses now taking 3 to 5 minutes to boot into windows, 30 seconds or so to open a window or any other tasks.

This is on a new, virgin windows install on a brand new formatted HD. Then a window pops ups saying that there are 55 errors in my registry (BRAND NEW SYSTEM!) and directs me to a third party site (registryupdate.com) to install a 'registry cleaner' that I am supposed to pay for.

This is the exact same behaviour as the machine had before I stuck the new HD in, and installed windows - except the scam is now pointing to 'registry update' instead of virus blast. Obviously the data for this did not come from corruption on a hard drive - there was no old hard drive in the system - and I deleted all partitions and re-formatted the hard drive upon installing it. The virus must live in the BIOS - but how can this be!? I am so confused, and at a loss on the correct move to bring my machine back to life.

Any help appreciated.

[cp]

No, really...no. The virus/malware/trojan (whatever) does not live in the BIOS, that's (almost!) impossible. And why bother with any tricky hijack the BIOS-action when the WindowsXP network stack is so easy to break?
After you've updated the BIOS you should load the performance settings in the BIOS first. Then, when dropping in a new HDD be sure to update its settings..right...in the BIOS. When you've done all this you're ready to install a new operating system. If your choice is something like Windows XYZ be sure to update it BEFORE connecting the machine to any network. I really mean what i'm saying..before hooking anything up that would make an external connection of any kind be sure to update your Windows installation (XP SP2 at least, 2k SP4 update rollup 1 at least). now you'd best get a free antivirus tool (http://www.free-av.com).

[som1dies2nite]

cp, i think you can actually have a virus into the BIOS. I have a laptop that I bought off the street that had computrace on it. The user connected online and short after shutting down the laptop will not boot up. All it does is light up the power LED and back off. I have read that computrace can send a packet and hack the BIOS to disable the laptop permanently but they cant offer gurantee covery afterwards. I guess its kind of a trojan. I have swapped drives with a formatted one and nothing gives.

[cp]

i didn't say it's impossible but i really doubt that any programmer would go through this to acually copy anything into the bios. let's start with the bios itself: space in that thing is limited, very limited indeed. as all recent bios are modular the manufacturer can easily add modules to the basic bios. this makes it even harder for a virus programmer to determine the space left in the bios (there are many bios that leave ~10kB unused, try to code a trojan in 10kB!). additionally there is no direct hardware access in Windows 2K/XP without some tricks (HAL manages everything). and even if it could access the bios chip, read the contents, inject code, recalc the checksums correcty: the contents have to be written back, too. you have to know that there is no filesystem on top of a bios chip. the contents have to be written raw using a chipspecific algorithm. my guess: there are about 50 different eeproms out there that are used as bios chips. worst case with a unique programming algorithm each. no problem to include them all. just ask the programmer of UniFlash how 'easy' it was to write a program that supports the vast majority of flash chips.
there are some more reasons why it's so much easier to put a virus or a trojan somewhere else. i doubt that there is ANY virus/trojan that copies itself into the bios and i really think that it's another urban legend(i do know that there is at least one virus that is able destroy the bios bootblock).

see:
http://en.wikipedia.org/wiki/CIH_virus
for reference. and read the part about the bios destroying carefully.

[cp]

and by the way: CompuTrace is not a virus or a trojan, it is a security system. in my understanding there is a clear difference between a virus and a security system!
okay, back to the CompuTrace features: some parts of it can be stored in the flash chip where the bios is placed. the faq says nothing about deleting any other data than the data stored on local harddrives. so there is no actual proof that any CompuTrace software can overwrite the bios or parts of it.

[som1dies2nite]

I know computrace is a security for laptops but it acts like a trojan when its need to disable a laptop.
http://www.phoenix.com/en/about+phoenix ... 2003-a.htm
http://pcworld.com/article/id,110883-pa ... ticle.html
http://www.techweb.com/wire/story/TWB20030527S0008

After a TheftGuard-equipped machine is reported as stolen to a special Web site, the stolen PC can be detected when it next connects to the Internet, TheftGuard officials said. At that time, the computer can be disabled, all data on its hard drive wiped clean, or an IP trace put on the connection to determine the physical location of the system.


Because TheftGuard is integrated with the BIOS, it can "cripple the computer," by not allowing it to boot, said Eades

This is the problem with a laptop I bought. I dont know if the BIOS chip is the 24LC04 or where to find in a D510

[cp]

look, the security would only jump in if:
- the system has a security system (and it's enabled)
- the system is connected to the internet
- the system can connect to the CompuTrace database
AND (this is the most important thing!)
- there is an entry in the database that says it is stolen!

and i guess those database entries are there for a reason. someone (the original owner!) must have report it stolen if your laptop was disabled by CompuTrace.
my advice: take that laptop back to where you bought it and get your money back.

btw. the 24LC02 is a serial eeprom with 4Kbit (that's 512Byte) space. that's where you could save some settings or the like but not a bios or CompuTrace.

[edwin]

after you got your money back, report the person that sold it to the police.

[som1dies2nite]

look, the security would only jump in if:
- the system has a security system (and it's enabled)
- the system is connected to the internet
- the system can connect to the CompuTrace database
AND (this is the most important thing!)
- there is an entry in the database that says it is stolen!

and i guess those database entries are there for a reason. someone (the original owner!) must have report it stolen if your laptop was disabled by CompuTrace.
my advice: take that laptop back to where you bought it and get your money back.

btw. the 24LC02 is a serial eeprom with 4Kbit (that's 512Byte) space. that's where you could save some settings or the like but not a bios or CompuTrace.

Heres another link CP.
http://www.hardwaresecrets.com/article/39/1

[edwin]

Most likely you got it from a website where you downloaded a driver or some software or maybe it is in your old profile. Are you sure your "new" harddisk was completely clean?

[cp]

this article doesn't say anything about the virus itself. the author just claims that the virus can overwrite the bios which is only _partly_ true. obviously the author of this article is not aware that not all flash eeproms work the same way when they are written to. i will now quote from the wikipedia article on the CIH virus: "(...)BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. (...)CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence."
a 'translation' of the above would read: CIH can write to the BIOS and thus destroying its original contents but it ONLY works for ONE specific flash eeprom or other eeproms that use the EXACTLY the same writing algorithm.

so chances are existant that CIH really could destroy BIOSes but chances are _very_ small. i'd say that for most people the lack of knowledge on how flash eeproms work (read: smattering) created an urban legend of BIOS-eating monster virus that can even hide in the cache of the harddisk or in the video ram of the vga adapter.

[edwin]

Most if not all antivirus software knows of the algorithms used by CIH and any variants. The only way you can get it now is by deliberately booting from an infected medium and executing the code.