Chinese firm discovers BIOS-based virus

A Chinese security firm has claimed to discover a new Trojan that attacks a computer’s underlying system: the Basic Input-Output System (BIOS). The company, “360," said the “BMW Virus" (Mebromi) can infect a chain BIOS (motherboard chip program), MBR (master boot drive) and Microsoft Windows system files, The Hacker News reported. Citing a translation of the Chinese firm’s claims, The Hacker News warned that efforts to “reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus." The Hacker News report said “Mebromi" can also survive a change of hard drive, and appears to be most effective on motherboards using the “Award" BIOS. “If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive. Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again. Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely," it said. “If the computer doesn’t use an Award BIOS, the contaminant simply infects the MBR," it added. The Hacker News said the new threat uses the CBROM command-line tool to hook its extension into the BIOS. When the system reboots, the BIOS extension adds additional code to the hard drive’s master boot record (MBR) to infect the winlogon.exe and winnt.exe processes on Windows XP and 2003, and on Windows 2000, before Windows boots. Once Windows launches on the infected system, the malicious code downloads a rootkit to prevent the drive’s MBR from being cleaned by a virus scanner. Even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. — TJD, GMA News