Discussions

Virus on a BIOS, myth or reality????

+
0 Votes
Locked

Virus on a BIOS, myth or reality????

sebas8194
Hi everyone, i think that the latest BIOS update that i had to do was because a virus manage to write a copy of itself on the BIOS ROM, i suspect that because i formatted the hard disk and install a clean copy of Windows XP SP3 and the antivirus continued to gave me warnings of a suspicious trojan application called "winamp.exe". And no, it's not the media player since i never install it after the formatting and it was located in the system32 folder (a common place for the viruses), i sweep the entire hard disk and operating memory with several reliable antivirus software and they found and killed the damn virus but it appear again after each reboot!, so i flash the BIOS with the latest update and the virus is gone!!!!!

that's my story, i like to know if any of you guys had a similar situation, and sorry for any grammar mistakes, my english is a little rusty.
  • +
    0 Votes
    santeewelding

    We have a sometimes resident BIOS watcher who warns us about just such as you report.

    He is, BALTHOR.

    Perhaps he will chime in, to tell that you have your head up your ***, or that he has his.

    +
    0 Votes
    maxwell edison

    Some information on BIOS Viruses:

    http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

    If a virus is recurring, however, it's more likely to be a one that's written itself into the boot sector of a hard drive; and formatting and reinstalling alone won't necessarily rid the drive of the virus. Deleting and recreating the disk partition might rid the drive of the virus. Running a disk-wipe program is probably the best option.

    Winamp.exe is the name of a file used for playing MP3 files, and it may or may not be the virus file. It could be a legitimate file, it could be the name of the virus file, or a virus could write itself into the legitimate file.

    But if you flashed your BIOS and solved the problem, then it's a done deal.

    +
    0 Votes
    maxpowers410

    To be honest. I think its almost ipossible for a virus to get ion your systemboard.But thearetically in IT everything is possible, however, do you think someone would bother going to the trouble of programming a virus for one specific BIOS? Theyre all different!

    +
    0 Votes
    JamesRL

    It is much less likely now because OS's don't allow user level programs to have direct HW access. But for Windows 2000 and earlier it was a problem. I remember it as an issue in DOS days.

    Here is one example:
    http://en.wikipedia.org/wiki/CIH

    James

    +
    0 Votes
    maxwell edison

    I won't speculate on the why or how.

    +
    0 Votes
    sebas8194

    Hi guys, i like to put additional information of the possible BIOS virus infection that i had to clean. first, not only the "winamp.exe" malicious file appeared after the cleaning by the antivirus and the following rebooting, but also the "h.exe" showed as well, and i just remember that i had the same infection on another PC with the SAME MOTHERBOARD!!!! the motherboard in question is the Elitegroup 661FX-M7. Now i am 99% sure that the virus copied on the BIOS cause in the other PC(that i formatted the whole hard drive and reinstalled the OS), i spent all day trying to remove the virus but it was impossible, however i didn't clear or re-flash the BIOS, that's why the damn virus continued to show in the system32 folder. All the things makes sense, or not???

    +
    0 Votes
    seanferd

    If you had more info about the files and registry entries involved, or what names the virus scanner gave the infection, you could identify what particular malware was involved, and what its capabilities are. Since you seem to have fixed it by flashing BIOS, it would seem to be resident there.

    Just some searches for "H.exe", "Winamp.exe trojan", or whatever. For example, this:
    http://www.threatexpert.com/files/winamp.exe.html

    +
    0 Votes
    mjd420nova

    Yes, it is true. I have had the unfortunate job to get rid of these nasty things and have even tracked the source of one. The event is like catching any virus but this one happens to write itself into the CMOS by "flashing" the BIOS. That's why after cleaning and rebboting, it comes tight back. The BIOS itself is on a ROM chip in the computer and cannot be changed, on boot up, it loads into the FLASH chips and the unit will boot from there as long as the battery remains intact. Often just setting the BIOS to default will clear it, sometimes removing the CMOS battery will get rid of it. In a few cases, going to the mfgrs site and reflashing the BIOS with a newer or updated version will clear things out. I have tracked one in particular to a PORN site that one user liked to frequent. After repeated infections, I informed the user to stay away from there and told him I'd not be responsible for any further infections and a report would be required to his boss for continued ignorance and violation of company directives. I haven't had a reoccurance.

  • +
    0 Votes
    santeewelding

    We have a sometimes resident BIOS watcher who warns us about just such as you report.

    He is, BALTHOR.

    Perhaps he will chime in, to tell that you have your head up your ***, or that he has his.

    +
    0 Votes
    maxwell edison

    Some information on BIOS Viruses:

    http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

    If a virus is recurring, however, it's more likely to be a one that's written itself into the boot sector of a hard drive; and formatting and reinstalling alone won't necessarily rid the drive of the virus. Deleting and recreating the disk partition might rid the drive of the virus. Running a disk-wipe program is probably the best option.

    Winamp.exe is the name of a file used for playing MP3 files, and it may or may not be the virus file. It could be a legitimate file, it could be the name of the virus file, or a virus could write itself into the legitimate file.

    But if you flashed your BIOS and solved the problem, then it's a done deal.

    +
    0 Votes
    maxpowers410

    To be honest. I think its almost ipossible for a virus to get ion your systemboard.But thearetically in IT everything is possible, however, do you think someone would bother going to the trouble of programming a virus for one specific BIOS? Theyre all different!

    +
    0 Votes
    JamesRL

    It is much less likely now because OS's don't allow user level programs to have direct HW access. But for Windows 2000 and earlier it was a problem. I remember it as an issue in DOS days.

    Here is one example:
    http://en.wikipedia.org/wiki/CIH

    James

    +
    0 Votes
    maxwell edison

    I won't speculate on the why or how.

    +
    0 Votes
    sebas8194

    Hi guys, i like to put additional information of the possible BIOS virus infection that i had to clean. first, not only the "winamp.exe" malicious file appeared after the cleaning by the antivirus and the following rebooting, but also the "h.exe" showed as well, and i just remember that i had the same infection on another PC with the SAME MOTHERBOARD!!!! the motherboard in question is the Elitegroup 661FX-M7. Now i am 99% sure that the virus copied on the BIOS cause in the other PC(that i formatted the whole hard drive and reinstalled the OS), i spent all day trying to remove the virus but it was impossible, however i didn't clear or re-flash the BIOS, that's why the damn virus continued to show in the system32 folder. All the things makes sense, or not???

    +
    0 Votes
    seanferd

    If you had more info about the files and registry entries involved, or what names the virus scanner gave the infection, you could identify what particular malware was involved, and what its capabilities are. Since you seem to have fixed it by flashing BIOS, it would seem to be resident there.

    Just some searches for "H.exe", "Winamp.exe trojan", or whatever. For example, this:
    http://www.threatexpert.com/files/winamp.exe.html

    +
    0 Votes
    mjd420nova

    Yes, it is true. I have had the unfortunate job to get rid of these nasty things and have even tracked the source of one. The event is like catching any virus but this one happens to write itself into the CMOS by "flashing" the BIOS. That's why after cleaning and rebboting, it comes tight back. The BIOS itself is on a ROM chip in the computer and cannot be changed, on boot up, it loads into the FLASH chips and the unit will boot from there as long as the battery remains intact. Often just setting the BIOS to default will clear it, sometimes removing the CMOS battery will get rid of it. In a few cases, going to the mfgrs site and reflashing the BIOS with a newer or updated version will clear things out. I have tracked one in particular to a PORN site that one user liked to frequent. After repeated infections, I informed the user to stay away from there and told him I'd not be responsible for any further infections and a report would be required to his boss for continued ignorance and violation of company directives. I haven't had a reoccurance.