BIOS Virus - HELP!

I am incredibly frustrated with this BIOS virus. Please help!

When I insert a disk that is bootable, the virus writes to the disk -- I believe to the MBR. I finally figured out that this is a virus after I lost three computers!!! I initially thought that I was having hardware issues so I replaced drives and tried to re-image the drive. Every time I attached a bootable drive, the BIOS "lost" it. In other words, the BIOS would see the drive unless it was bootable. As soon as I attached a bootable drive, it would lock up as Windows was installing. Then, when I rebooted it, the BIOS would not be able see it. I bought a new power supply and new disks. I moved cables around and I finally figured out that it is a virus.

Now, here is the problem. If I clear the CMOS using the jumper and disconnect all drives except the CD-RW, the BIOS recognizes the CD with no problems and the installation or system repair disks boot up. HOWEVER, if I plug in an infected drive and turn on the computer, the computer locks up because the virus on the drive is trying to write to the BIOS. I locked the BIOS with a password, so the computer locks up now as the virus tries to rewrite my BIOS.

I do not want to throw away six (6) hard drives since a couple of them are terabyte drives. More importantly, I do not want to throw away my USB drive since it has my backup data. I thought I was being smart by keeping a backup on this USB drive. All of these drives have touched the infected systems so I am scared of spreading this virus and losing more hard drives.

How do I kill a BIOS virus that writes to the MBR of a hard drive? Every time the hard drive is attached to a computer, the virus is spread BEFORE the OS can turn on to run AntiVirus software. If McAfee is on a bootable CD, the CD boots AS LONG AS THE INFECTED HARD DRIVE IS NOT ATTACHED. However, if I plug in one of the infected hard drives, the virus runs as the hard drive is being recognized by the BIOS and the virus disables all drives that are bootable, including the bootable CD with McAfee.

I can clear my CMOS with a jumper, but I cannot find a way to clear the MBR of a hard drive. Help!

 

Here is some more information. The virus that I have takes the computer down completely. If my computer is completely down and does not boot, the infection does not provide value to the cybercrooks so I do not think that it is the TDL4 virus that I have read about. My computers are completely dead -- they do not boot.

Here is what happens.

* I unplug all hard drives and USB drives. However, I leave the CD-RW plugged in.

* I physically move the pin on the jumper to clear the CMOS. This clears the BIOS completely and restores it to factory setting.

* I turn on the computer and go directly into the BIOS. I enable "BIOS Flash Protection" and I add a password to the BIOS ("BIOS Password Check"). I save the BIOS, which reboots the computer. My BIOS is American Megatrends v02.61

* I can put stand-alone anti-virus disks, Windows XP, Windows 7, or any other disk into the CD-RW drive. When the computer boots, it runs perfectly. HOWEVER, there are no hard drives or USB drives for the disks to scan or fix.

* So, I shut off the computer. Remember the BIOS Flash Protection and password are active. Then, I plug in the infected hard drive (PATA or SATA - I infected six hard drives as I attempted to fix the problem since I originally thought this was a hardware problem).

* I turn on the computer with an infected drive attached. The computer freezes on the POST screen for about one full minute. Then the computer continues to run. I get an error "Insert Boot Media". Remember, I just ran boot media from the CD-RW drive. The only thing that I changed was added a hard drive (or plugged in an infected USB drive). I reboot the computer and hit F11 for the Boot Menu. NOTHING shows up! The CD-RW and hard drive are literally GONE! I reboot and go into the BIOS and NOTHING is attached according to the BIOS. Remember, I had BIOS Flash Protection and BIOS Password enabled.

I took these exact steps with different hard drives and with USB drives that I used as boot media. This is one insane virus. I have three dead computers. I might be able to save the computers by flashing their BIOS and putting new hard drives. I'm going to buy a cheap drive tomorrow and see if I can save the computers. However, I have six dead hard drives. Two dead USB drives. One dead USB hard drive with ALL of my critical backup files. If I cannot find out how to kill this damn virus, I will drop over five hundred dollars into the trash. In addition, I will lose ALL of my data since my backup drive is also infected.

Now, the worst part. I teach programming. I probably got this virus from one of my students. I accept their work on USB drives and I rely on McAfee Enterprise 8.7i to protect my system. The moderator at the McAfee forum suggested that I visit you all because "There is a forum (HERE) where some very knowledgeable people gather, and they have been discussing the new BIOS rootkits."

If this virus can knock me down like this, then it is a severe issue that is going to destroy the average user. Any drive -- USB, portable hard drive, etc -- that touches an infected system will pass the virus to other systems. If the drive is NOT a boot drive, the virus jumps on and infects every drive that it touches. If the drive is a bootable drive, it hits the BIOS and makes all the bootable drives on that computer disappear in the BIOS.

Please help.

 

what ports are you using for the hard drives and disc drive?

some motherboards have two seperate sata controllers which are normally shown as different colour ports.

is the mcafee disc also windows based?

have you tryed booting from a linux live cd? pretty much all linux live cds come with some sort of partition management tool which would be able to wipe the disc including MBR.
there are also some linux based antivirus discs. does the disc drive work on its own using all ports and all the cables you have got?

 

The original drive was a SATA drive. My MB SATA controller only has two ports and they are the same color. The second drive that I tried was an old PATA drive. I found an old PATA cable and I hooked up the drive. It was immediately infected and then it "disappeared" from the BIOS. What do I mean by immediately infected? The POST freezes for about a minute. Then, it continues and I get an error message "Insert Boot Media". When I reboot and hit F11 for the boot menu or if I go directly into the BIOS, the CD-RW and the bootable hard drive (SATA or PATA) are gone. By gone, I mean that they do not exist. I thought it was a power supply issue at first. I bought a new power supply. Nope. It is a virus.

As proof that it is a virus, I can reset the virus using the physical jumper on the motherboard. When I do, if the hard drives are NOT attached, the CD-RW appears. I can run the Windows XP or the Windows 7 installation disks -- no problem. However, there isn't a drive for them to install. Now, if I turn off the computer and install an infected hard drive, the computer freezes on the POST screen and the CD-RW and the infected hard drive are GONE.

The McAfee Rescue Disk is Windows 7 based. I also tried the AVAST Rescue Disk, which is Linux based. No luck. The AVAST disk can see the hard drive if I plug it in while the AVAST disk is already running. However, the AVAST virus scan of the infected disk claims that the disk is clean. Then, when I reboot with the AVAST disk still ready to boot in the CD-RW (first item in the boot sequence) and the infected disk as a bootable storage drive, the computer freezes on the POST screen for about a minute and then the CD-RW (with AVAST in it) and the infected hard drive DO NOT EXIST according to the BIOS.

Hmmm... Linux Live CD... that is a good idea. I will try that tonight. If I can wipe out the MBR and the partitions except the main one, I may still be able to save my data. I just have to figure out how to scan for the virus on the main partition. There is a part of the virus that "delivers the payload" and a part that infects the BIOS and MBR. My BIOS keeps getting re-infected by the MBR of the infected hard drives. Even if I clear the MBR, the original part of the virus on the main partition will deliver the payload and re-infect the MBR and BIOS. I have to find a way to kill all parts of the virus.

Worst case scenario, I will just wipe out everything on the hard drives with the Linux Live CD -- partitions and MBR. At least I will still have my hard drives. The only problem is that my original data and my backup data will be destroyed. I thought I was being so careful by having a backup of all of my important data. Damn. Who are these evil people who hurt others for no reason?

 

I don't know if the following will work. I am not a security expert (far from it). I know hardware, not software.

Anyways. I was thinking about maybe installing one of the hard drives on a malware clean (old & possible redundant) system as a non-bootable hdd. Could possibly be accessed from within a virtual machine. Then trying removing all infection(s) via the host system.

It might be risky. I don't know. Possibly someone else with greater security knowledge could comment.

 

Hello,

There is a piece of malware which infects BIOSes called Win32/Mebromi, however, it does not infect those from American Megatrends, Inc.

What are the brands and models of the affected computers (or motherboards if self-assembled)?

Regards,

Aryeh Goretsky

 

Hi bird2010

Clearing the CMOS is just resetting the BIOS to the default settings.

I don't if agoretsky agrees.

But IMO, what you should try is flashing BIOS which will do a complete Rewrite [overwrite] of the BIOS.

Because if the Virus is in the BOIS, I am sorry to ask what is to keep from reinfecting your Hard-Disk until it is Removed ?, no matter how many times you overwrite your MBR or the whole Hard-Disk.

I am have always flashed my BIOS, when ever there is any new ones available to get the latest one, to keep the Motherboards up-to-date.

Take Care
TheQuest

 

totally agree with you TheQuest.

 

The bios password won't prevent flashing by the way. Since you don't have an award bios in theory it shouldn't be flashing it unless you have a new version.

First of all have you clarified that the files related to the virus are on your hard drive. I noticed from all your posts across the internet you haven't yet verified this.

So first of all boot off a linux live cd. Using a usb caddie plug the infected drive in once the OS has booted.

Confirm you have these files.

If you have delete them. It can't flash the bios if they're not present or try to flash the bios.

Fix your mbr using the linux live CD plenty articles in google on how to do this.

Reset cmos and place the hard drive in the system.

See if it boots.

 

YEA!!! I finally did it. Okay, everyone, here is the solution. The best part of this solution is that I was able to keep all of my data!!!! YEA!!!!

I tried to attached the infected drive as a slave so I could run a virus scanner on the infected drive. However, this is a really bad BIOS virus AND it writes to the MBR of the infected hard drives. So, when I booted up the computer with a clean boot drive and the infected drive as a slave, the computer would freeze for a minute (60 full seconds) on the POST screen. Then, the computer would claim that I do not have any drives attached to my computer!!!! In other words, the virus would infect the clean drive BEFORE it was able to boot (POST SCREEN). This happened because the BIOS would look for drives. When it hit the infected drive, it would read the MBR and BAM!!!, the MBR would infect the BIOS, which would then infect the clean hard drive. I would use the CLEAR_CMOS jumper on the motherboard to clear the virus out of the BIOS. However, every time I tried to run with an infected drive attached as master or as slave, the BIOS would be re-infected. If you read this thread, you also know that I could not see the CD-RW when the BIOS was infected so I could not run a CD with antivirus against the infected drive. DAMN! This is a very bad BIOS / MBR virus.

I then launched a clean Windows with a virus scanner. Then, while Windows was running, I plugged in the infected drive with the hope that I could see and clean the drive before the MBR infected the clean drive. However, no matter what I did, I could not get the infected drive to show up on the Windows machine. I unplugged the infected drive and turned off the computer and used the CLEAR_CMOS jumper to be sure the BIOS did not get infected by the attached infected drive. I rebooted the computer WITHOUT the infected drive and my clean Windows drive was still clean.

The epiphany came when I realized that this virus is a Windows virus. So, I decided to hit it with Linux. I tried the McAfee Rescue disk, but it was Windows based and did not work. I tried the Kaspersky Rescue Disk, which is Linux based, but it did not work. I finally tried the BitDefender Rescue Disk and it worked!!!! YEA!!! Thank you BitDefender!!!

Here are the steps:

* Using a clean computer, download the free "BitDefender Rescue Disk" and create a CD from the ISO file that you download. If this link does not work, simply google for it. Make sure you download the ISO from BitDefender's website and not some hacker's website: http://www.bitdefender.com/support/How-to-create-a-BitDefender-Rescue-CD-627.html

* Using a clean computer, download "Parted Magic", which is a free disk partitioning tool that is written on Linux: http://www.livecdlist.com/ then scroll down to "Parted Magic". Download the ISO and then burn it to a CD.

* Clear the BIOS by physically moving the CLEAR_CMOS (or CLRCMOS) jumper. Refer to the motherboard user's manual for the jumper's location.

* Make sure all drives are unplugged except the CD-RW (or DVD-R). Then, put the BitDefender Rescue Disk in the CD-RW as you turn on the computer.

* Let the "BitDefender Rescue Disk" to boot up and then it should automatically update its virus database.

* After BitDefender has updated, and while BitDefender is running, plug in the infected hard drive (PATA or SATA). Give it a few minutes to "see" the drive.

* If BitDefender Scanner window is closed, double-click the BitDefender Scanner icon on the Linux desktop.

* Click the "Scan Now" button

* Click "File System" on the left

* Click "Open" on the bottom, right and the scanner starts scanning. This will take a long time on a Terabyte hard drive (2 hours for me). You will get a lot of I/O errors while the scanner fights with the MBR virus. I got 399 I/O errors! If the screen locks up, don't worry about it. Go away and grab dinner, curse at the person/people who wrote this damn virus, and come back in about 2 hours.

* BitDefender found 92 issues. All of them were similar to this:
Gen: Trojan.Heur.JP.Ju2@akWcCegi
Gen: Trojan.Heur.LP.008@amBBdZe
... and 90 more messages similar to these two.

* When BitDefender finishes, click the Finish button, then the Done button. Click the Shutdown icon on the right side of the task bar, which is located at the bottom of the screen.

* If your computer is still locked up after 2 hours, press and hold the power button on your computer to do a hard boot. I had to do this step on one of my infected hard drives. The process still worked on it. Apparently, BitDefender was still able to kill the virus even though it looked like it locked up.

* Restart your computer with BitDefender still in the CD-RW and the infected drive attached. Hit F11 or the boot menu key for your BIOS and make sure you boot off the CD-RW. After BitDefender boots up and updates its virus database, hit the "Scan Now" button and scan everything again. Look for I/O errors that may indicated "inaccessible" or "password protected" files

* After the second scan process is completed (and possibly a reboot and then a third scan process if you feel it is necessary), you need to clean "inaccessible" or "password protected" files. The infected drive should show up on the BitDefender's Linux desktop at the top, left side of the screen. Double-click on the icon and find the i/o error files. Select the file and HOLD DOWN THE SHIFT KEY while you press the Delete key. It will ask you if you want to permanently delete the file. Hit "Yes". The "password protected" files for me were in the _restore folder. Yea, I'm going to do an accidental restore and get the virus restored back to my computer!!! HELL NO!!! Damn virus and DAMN CREATORS of the virus.

* Now is time to use the Parted Magic CD that you created. Put the Parted Magic in the CD-RW drive as you boot the computer. When Parted Magic fully boots, change to the "cleaned" drive by clicking the dropdown selector near the top, right side. You will see 2 mb of open space on the right side. Click the Resize button near the top. Click the middle space selectors to increase the size of the used space. As you increase the size, the right side side unpartitioned space will go down to zero. You should have zero space before you main partition and zero space after your main partition. Click the Apply button. After the process completes, click the LogOff | Shutdown icon on the task bar at the bottom of the screen.

* After you clean your drive and got rid of the small unpartitioned space, attach the now cleaned drive as a slave on a clean computer. Just to be sure, I got a cheap drive and installed Windows on it. This way, if I attached the supposedly "cleaned" drive and had problems, I would only lose a cheap drive. However, it worked perfectly! I ran a virus scanner against the slave drive and it found nothing wrong. I opend the drive and copied my critical files to a USB hard drive, just to be safe. You should do the same. Take this time now to copy your critical data to a USB drive in case you cannot boot from the now cleanded drive. I also deleted a few suspicious files, including a folder that gave me an "access denied" error. I googled to find out how to take control of an "access denied" folder, I took control, and then I deleted it.

So far, everything is working perfectly! I have all of my drives back, including my two Terabyte drives, with all of the data intact. YEA!!!!

Just a quick heads up. I tried to boot one of my boot drives (PATA) and it would not boot. I used the Windows XP installation disk to run the repair function. It still did not work properly after successfully "repairing" it. I did not have any important data on it so I just formatted it and re-installed Windows XP. On my second boot drive (SATA), I tried to get it into the Windows operating system, but it would not work. I tried to do a Windows XP installation repair function, but I kept getting the "blue screen of death". I finally gave up and simply installed a clean copy of Windows 7. On the boot drive for my third computer (SATA), I did not bother trying to run it. Instead, I just wiped it out and installed a fresh copy of Windows XP. On all three computers, I had the data backed up from the process above. In addition, my backup data was available on my cleaned USB hard drive. I had to re-install the applications, but at least I got my drives and my data back.

 

Bravo bird2010!

Reading this thread was an edge-of-the-seat thriller, a heroic fight. Thank you for posting such detailed descriptions.

 

I'm happy for you, mate.

I can relate to your troubles because i have myself caught a BIO virus, even though i was protected with one of the best anti virus available, VIPRE.

To avoid this trouble in the future, the only option is to block physically BIOS infections by pulling a jumper on your motherboard; could anyone tell me where such MBs are available ?

 

@bird2010,

congratulations on winning what looks to have been an epic battle against one nasty virus BTW, if you can properly disable autorun for any external drives, it stands to reason this should prevent a similar type infection in the future.