Bios Virus

[slarty]

There is a set of commands for flashing the bios. This set of commands is deliberately complicated (so that nothing does it by accident), and different on different motherboards (to reduce the probability that you will flash it with the wrong one).

However, if a virus knows the right commands for the specific motherboard, it can reflash the bios which in some cases renders the machine entirely unusable (for ever)

As others have noted, an example of one which did this was the "Chernobyl" virus. At our company, 2 machines were fried by it (and several others had their hard discs wiped)

Some motherboards have a low-level reflash procedure which allows the bios to be reflashed without being able to boot (You hold a key down on the keyboard, having inserted a specially formatted floppy). This recovers a fried bios.

[darkes]

I'm not sure how effective something like the CIH virus would be today.

As has been pointed out, some MB have a jumper you can set to prevent an autamatic reflash.

Also, on some BIOS you will find an option to set an option called 'BIOS Flash Protection' under 'Advanced BIOS Features', which will prompt you if the BIOS is being reflashed.

If you are running WinXP with an NTFS file system, the BIOS reflash program/virus normally needs to run in native DOS mode, as it does not understand NTFS.

[SirDice]

Not only does every vendor and every type of motherboard have their own type of bios, the way in which this flash memory actually gets flashed also differs from each other.

The reason all those bios flash programs need to be booted from DOS is actually quite simple. When using a DOS bootdisk there are usually no memory managers, no hardware drivers and no applications running. This will make flashing your bios safer because none of these things can get in the way when flashing.

[Und3ertak3r]

Ok,

Virus that attacks a Computers BIOS..

Well some systems I have encountered over the past few years I have never had the time to find the name of the Mal-ware that has caused the problems.. that is after elliminating the user and random hardware probs as the cause..

1/ 2 cases different brands of sock 370 mobo's - No P.O.S.T .. Error message.. Had to auto script a reflash of BIOS..
2/ 15 to 20 cases various Slot1/socket 370 mobo's - Unable to reinstall OS or/and CD ROM not reading CD or/and cd-Draw not obeying commands - Had to Reset CMOS memory ie reset the Bios settings..
3/ 6 or 7 systems with similar to above symptoms - Had to Flash the BIOS to Fix.

With any machine that has been infected with recent virii a Good ol clearing/reset of the CMOS is a good precaution to prevent "hidden" nasties.. And why do I follow this path?

How many of the motherboards built in the last 4-5 years that you know of came with a windows/dos based Cmos/bios utility? OK and how many of those had a utility that allowed internet/windows BIOS updateing?..

Your BIOS EEPROM and RAM occupy the lower areas of the systems memory map (I am assuming little has changed in 10 years), your operating system is able to interogate this area as well as write to some areas (clock settings, etc), so a virus would writer will have no problems identifing the bios type, and perhaps leave a package in the unused area of the CMOS.
Further to this, a Mal-ware code (read Virus, mal-ware script etc) would identify the Bios type and with a basic libary of Chip types, Bios manufacturers and MoBo manufactures, would then successfully damage the BIOS Software and or store further damaging code.

To back this up.. check out old DOS utilities for backing up and restoring a systems CMOS.. some would reeport how much free memory in the CMOS (couldn't see a use for it at the time.. not very forward thinking was I)

I hope I made sence..


Cheers

[rmlj63]

It seems to me that if you do have a flash BIOS it could be overwritten. Much like a router configuration can be remotely flashed to NVRAM. I understand that there are some hoops that a BIOS virus would have to jump through and would not be very effective in spreading or doing much more than denying you access to your computer for awhile, but as far as the idea of BIOS virii, I am sure that given the right circumstances it could happen.

As far a security, jumpers would be the best form, but also BIOS passwords could function as a decent form of security.

The fact that once the virus infects your system you are denied even the C prompt kinda puts a wrench in its ability to spread, this could explain why there is not much focus on it.

It seems to me that if you do have a flash BIOS it could be overwritten. Much like a router configuration can be remotely flashed to NVRAM. I understand that there are some hoops that a BIOS virus would have to jump through and would not be very effective in spreading or doing much more than denying you access to your computer for awhile, but as far as the idea of BIOS virii, I am sure that given the right circumstances it could happen.

As far a security, jumpers would be the best form, but also BIOS passwords could function as a decent form of security.

The fact that once the virus infects your system you are denied even the C prompt kinda puts a wrench in its ability to spread, this could explain why there is not much focus on it.

[Noia]

I have a Dual BIOS, and you can get BIOS saviours that can make a copy of your BIOS straight to a secondary chip, and then re-load it from there if something goes wrong...

oh well...I don't think CIH would have any affect these days, New hardware is too advanced and to well protected....plus, if you wheren't running an Anti-virus, sucks to be you.

- Noia

[bballad]

The Cmos password will not keep your bios from beeing flashed by a programm, it will only keep people out of the system.