Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Virus writing to CMOS?

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    350

    Post Virus writing to CMOS?

    I heard of a virus a few years ago....
    It apparently wrote to CMOS/BIOS and upped the harddrive speed or something to that effect. And the BIOS would then spin the HDD to fast, destroying your platters and such. I haven't been able find information on it anywhere....

    Whether or not this existed, is it even possible? I know XP prohibits direct access to the harddisk, so you can't write to MBR (not yet anyways), but this was before XP. Theoretically, is it possible for a virus to modify the MBR on a FAT/FAT32 partition (Linux/Win9x), which would allow the virus to run a COM file before Windows loads, and then write to BIOS. I know different types of BIOS work differently, but you could just flash the BIOS anyways and replace it with garbage. Some newer boards don't even allow original firmware to be overwritten...when you flash, it writes elsewhere, to assure that you can't corrupt the BIOS. But most boards don't do that.
    Geek isn't just a four-letter word; it's a six-figure income.

  2. #2
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    There used to be a couple of virii like that as far I remember. I think the most notorious one was called chernoble. It tried to overwrite your bios and erase your hard drive which in some cases meant the bios had to be changed. This virus only really affected widows 95. Before that under dos you had certain virii that done as you said or worst. I seem to remember one that used spin up the disk and then send a park command to the drive. The result was the head would try to park itself in the middle of the platter. Nowdays it is not really possiable to produce that type of problem as the hardware has evolved.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    CIH (Chernobyl Virus) writes to the HDD MBR? not sure but writes to track 0 IIRC and to the BIOS but AFIK into the cmos portion..

    There are some that will just corrupt your Cmos settings, some that that write to unused cmos areas (CIH), then there are the true baddies that flash portions of the BIOS firmware.. and I wish WinXP was immune.. but most of the victems I have encountered were Win9x and Directx 7.. these ppl also had their video cards BIOS flashed as well..ahhh phun and games..

    BTW AT.. do a search on this board on BIOS.. there have been other discussions in the past on this matter..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    havent see any pratical CMOS virus, only the BIOS virus such as AntiCMOS virus, aka Lixi, Lenart.

    here is the old reference:

    Although a virus CAN write to (and corrupt) a PC's CMOS memory, it can NOT "hide" there. The CMOS memory used for system information (and backed up by battery power) is not "addressable," and requires Input/Output ("I/O") instructions to be usable. Data stored there are not loaded from there and executed, so virus code written to CMOS memory would still need to infect an executable program in order to load and execute whatever it wrote. A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's values. However, executable code stored there must first be first moved to DOS memory in order to be executed. Therefore, a virus can NOT spread from, or be hidden in CMOS memory. No known viruses store code in CMOS memory. There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. by a rogue programmer at American Megatrends Inc., the manufacturers. If the date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC speaker. In this case, the only cure is a new BIOS (or motherboard) - contact your dealer. The trojanized chip run was BIOS version M82C498 Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy Kuo's "What is NOT a virus" paper. - From time to time there are reports from Mac users that the message 'welcome datacomp' appears in their documents without having been typed. This appears to be the result of using a trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it can't infect anything - and the only cure is to replace the keyboard.
    ÍòǧÊÀ½ç¶àÆæÃºÆå«ÓîÖæÊ®ÍòÎÊ¡£
    ¹Â¶ÀºÚ¿ÍÀë¾ýÈ¥£¬Óû°é¹éÏçÖйú
    ºì¡£

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    t apparently wrote to CMOS/BIOS and upped the harddrive speed or something to that effect. And the BIOS would then spin the HDD to fast, destroying your platters and such. I haven't been able find information on it anywhere....
    If it doesn't exist..............you won't?

    Merry humbug................I stole that from Undies

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    350
    Thanks alot for the replies. Just having the sheer capacity to do something like this makes me want to learn assembly, hardcore.

    Thanks anyways,

    A_T
    Geek isn't just a four-letter word; it's a six-figure income.

  7. #7
    There were a number of boot sector viruses in the DOS days. AntiEXE and AntiCMOS were two. Chernoble and some other variants were around, as well. I still see AntiEXE and AntiCMOS showing up on the radar. Students have floppies and other media riddled with those old nasties, and they keep brining them around to our systems.

    Yes, a boot sector virus could cause changes or manipulate the code in CMOS. Spinning up a drive past specs is not something it could do. A drive could be spun to a certain RPM and that was about it. However, as Undertaker mentioned. spinning up a drive, then executing the park command, would cause a head crash in the middle of a read. That was in the days of the old MFM and RLL drives--you know, the ones that max'ed out at 40 megabytes? Those drives didn't have the automatic controllers the current IDE drives have. Bumping or jiggling the case could cause head crashes, especially if the drive was seeking at the time.

    A head crash is when the read/write heads would actually make contact with the surface of the hard drive platter. This would cause scratches on the media and destroy the read/write head.

    The end effect was that the drive would be ruined.

    BTW, here is a link to Symantec on the AntiCMOS virus. Interesting reading:

    http://securityresponse.symantec.com...nticmos.a.html

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    I know XP prohibits direct access to the harddisk, so you can't write to MBR
    If the virus is a device driver (WDM) or can get to execute ring0 code in another way (like win9x has various ways to do so without writing a VxD) it can overwrite the MBR.
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  9. #9
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    mikema: where ever you reference is from (give the link.........otherwise its plagerism of sorts) , im inclined not to believe it.

    if you think about it logically the bios enables you to boot from where ever the memory addresses within it say so, be it a harddisk or a NIC.

    NIC's have there own memory which can contain binarys to enable network booting, this eprom is more than useable as a storage location for any malicous code. sure its not on bios but I think the bios can contain spare memory (forgotten the location) so small code could easily be stored.

    If been messing about with the bios on a computer for a bit and im just trying to reverse engineer the program flashcd, its an iso that puts itself into the boot sector of a CD, quite interesting.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Just had a second thought...........look for the "Magistr" virus.............that one tried to flash the CMOS/BIOS. A very complex virus partly written in ASM.

    Kaspersky probably has the best technical write-up



    There are so many different BIOS versions floating around that it would be hard to get a virus to operate there..........you would most likely stiff the machine anyway?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •