Chinese Security firm Discovers new BIOS based Virus

Chinese AV company 360 discovers a new Troajn, the “BMW Virus” (also called Mebromi), that can actually infect a computers BIOS:

“BMW 360 Security Center virus is the latest catch of a high-risk virus, the virus that infected a chain BIOS (motherboard chip program), MBR (master boot drive) and Windows system files, reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus.” – Translated 360 page

According to The H Security, when a system is infected, the trojan checks to see if the system has an Award Bios. If it does, it hooks itself to the BIOS. Once the system is restarted, it adds itself to the hard drive’s master boot record (MBR). Next it infects the winlogon.exe or winnt.exe system files (depending on Windows OS version).

The malware also is a Trojan downloader, it will connect out and try to download other viruses to the infected system.

If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive.

Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again.

Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely.

~ by D. Dieterle on September 14, 2011.

4 Responses to “Chinese Security firm Discovers new BIOS based Virus”

  1. Oh man that’s nasty. So I wonder if flashing the bios would clean it out? But if your BIOS is fully updated, I bet a BIOS update wouldn’t even process when it detected you were at the newest revision.

  2. I wonder how the McAfee would react to this new.. after they released there latest AV (Deepsafe)….

    • Very good point.

      Deepsafe looks interesting. It seems that part of it will reside outside the OS and in between the hardware.

      Apparently it will also act like virtual memory, it will inspect code that is to be stored and run from RAM, before it is actually stored. This should help with a lot of the code obfuscation techniques.

      I also wonder if it will stop the AV bypass techniques that will be in the new version of Backtrack SET to be released later this month.

      Time will tell, but with “Free” anti-virus shipping with Windows 8, the Anti-Virus market could change pretty rapidly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: