The AMI BIOS infector: Hapy Birthday
Lennart Jacobsson
I just read the alt.comp.virus FAQ and something really made me wake up!
I find a question about CMOS viruses:
<begin>
alt.comp.virus Frequently Asked Questions
by David Harley, Support & Security Analyst
Imperial Cancer Research Fund
Version 1.02e
Last modified: 14 Oct 1996
Are there CMOS viruses?
Although a virus (e.g. antiCMOS) CAN write to (and corrupt) a PC's CMOS memory, it can NOT
"hide" there. The CMOS
memory used for system information (and backed up by battery power) is not "addressable," and
requires Input/Output ("I/O")
instructions to be usable.
Data stored there are not loaded from there and executed, so virus code written to CMOS memory
would still need to infect
an executable program in order to load and execute whatever it wrote.
A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's
values. However,
executable code stored there must first be first moved to DOS memory in order to be executed.
Therefore, a virus can NOT
spread from, or be hidden in CMOS memory.
[There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program
which does not replicate. If the
date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC
speaker. In this case, the
only cure is a new BIOS - contact your dealer.]
<end>
I checked up antiCMOS and I can see that it(and other viruses too) changes the CMOS setup
values.
I can understand this. If a CMOS setup program can change the values, then a nasty virus with
a CMOS cracker can do this too.
The thing that made me confused is the thing about the trojanized AMI BIOS(I have AMI BIOS).
If this "joke program" can change the bootup code stored in AMI BIOS to play a tune, why
can't a new virus do the same, and maybe even replace the BIOS code with an infected one?
AMI BIOS is stored inside ROM, right?
So a program should NOT be able to modify BIOS!
I have the ability to use flash bios, but to do that i must change a switch on my motherboard,
to "unprotect" my ROM.
Does this "joke program" take use of some sort of flash bios?
I read the "Help: Happy Birthday Virus" article. What really happens when the infection occurs?
Wich program contains the trojan?
How do I replace my AMI BIOS(buying a new motherboard, or what?).
Is it able to manipulate flash-BIOS without "hard-unprotecting" it?
Is my BIOS code safe at all?
I would be very thankful for some help with these questions.
actually, all this is kinda scary :)
Martin Jacobsson
Bruce Burrell
Lennart Jacobsson (in...@litcon.se) wrote:
> I just read the alt.comp.virus FAQ and something really made me wake up!
> I find a question about CMOS viruses:
> I checked up antiCMOS and I can see that it(and other viruses too)
> changes the CMOS setup values.
Actually it doesn't, due to a bug.
> I can understand this. If a CMOS setup program can change the values, then
> a nasty virus with a CMOS cracker can do this too.
Yes, a virus can alter CMOS. But no virus can *infect* by residing in
CMOS.
> The thing that made me confused is the thing about the trojanized AMI
> BIOS(I have AMI BIOS). If this "joke program" can change the bootup code
> stored in AMI BIOS to play a tune, why can't a new virus do the same, and
> maybe even replace the BIOS code with an infected one?
No no no. The BIOS itself (the chip) was trojanized -- it's not a
software program that alters the BIOS after it's been burned.
> AMI BIOS is stored inside ROM, right?
> So a program should NOT be able to modify BIOS!
Assuming a non-flashable BIOS, you are correct.
> I have the ability to use flash bios, but to do that i must change a
> switch on my motherboard, "unprotect" my ROM. does this "joke program"
> take use of some sort of flash bios?
No. It's a problem with AMI quality control.
> I read the "Help: Happy Birthday Virus" article. What really happens when
> the infection occurs? Wich program contains the trojan? How do I replace
> my AMI BIOS(buying a new motherboard, or what?).
Just get a new chip for AMI.
> Is it able to manipulate flash-BIOS without "hard-unprotecting" it?
No.
> Is my BIOS code safe at all?
Yes, assuming it is ok to start. If you have the "Happy Birthday" Trojan,
then it was NOT ok when you got it.
> I would be very thankful for some help with these questions.
>
> actually, all this is kinda scary :)
Not really. Actually, not at all.
-BPB
Tarkan Yetiser
In article <57d8d4$6...@mn5.swip.net>, in...@litcon.se wrote:
> [There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program
> which does not replicate. If the
> date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC
> speaker. In this case, the
> only cure is a new BIOS - contact your dealer.]
> <end>
>
> The thing that made me confused is the thing about the trojanized AMI BIOS(I have AMI BIOS).
> If this "joke program" can change the bootup code stored in AMI BIOS to play a tune, why
> can't a new virus do the same, and maybe even replace the BIOS code with an infected one?
>
> AMI BIOS is stored inside ROM, right?
> So a program should NOT be able to modify BIOS!
Martin,
it's quite understandable that you got confused; though such FAQs are
useful, they are not written well enough for the average computer user
out there. The AMI Nov13th trojan is a piece of code embedded inside
the BIOS chip; it's NOT a joke program on your disk. So, you don't
have to worry about this thing "attacking" your BIOS. If you happen to
own a motherboard with one of these trojanized BIOS chips, then you'd
hear the music, otherwise you're fine.
--
Regards
Tarkan Yetiser
VDSARG
http://home.prolog.net/~tyetiser
http://www.ccso.com
And so my fellow Microserfs, ask not what your company
can do for you, ask what you can do for your company.
-BG's annual speech
David Harley
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: it's quite understandable that you got confused; though such FAQs are
: useful, they are not written well enough for the average computer user
: out there.
Thanks. It's always good to feel appreciated.
--
David Harley \ | / alt.comp.virus FAQ
D.Ha...@icrf.icnet.uk \ | / & Anti-Virus Web Page
Support & Security Analyst \ | / Folk London On-Line gig-list
Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/
David Harley
David Harley (har...@europa.lif.icnet.uk) wrote:
: Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: : it's quite understandable that you got confused; though such FAQs are
: : useful, they are not written well enough for the average computer user
: : out there.
: Thanks. It's always good to feel appreciated.
Oooops. The smiley fell off. Iolo is right, irony -doesn't- work on
usenet......................
Bruce Burrell
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
> In article <57fmkl$1...@charlie.lif.icnet.uk>,
> > Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
> >
> > : it's quite understandable that you got confused; though such FAQs are
> > : useful, they are not written well enough for the average computer user
> > : out there.
> >
> > Thanks. It's always good to feel appreciated.
>
> egoes though :-)
Hey, Tarkan: if you feel anything is unclear, I'm sure David would
welcome your contributions to make it better. The FAQ contributor list is
hardly closed to qualified folks who aren't participating already.
-BPB (Yes, I'm serious.)
Tarkan Yetiser
In article <57jaga$l...@lastactionhero.rs.itd.umich.edu>,
b...@stimpy.us.itd.umich.edu wrote:
> Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
> > In article <57fmkl$1...@charlie.lif.icnet.uk>,
> > har...@europa.lif.icnet.uk wrote:
> > > Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
> > >
> > > : it's quite understandable that you got confused; though such FAQs are
> > > : useful, they are not written well enough for the average computer user
> > > : out there.
> > >
> > > Thanks. It's always good to feel appreciated.
> >
> > Hey, I said they were useful. Can't do anything about the fragile
> > egoes though :-)
>
> Hey, Tarkan: if you feel anything is unclear, I'm sure David would
> welcome your contributions to make it better. The FAQ contributor list is
> hardly closed to qualified folks who aren't participating already.
I'll take a crack at it when I have some free time. Could use some
reorganization too from what I can remember. Is it available in
WinHelp format? It should be. Without the rogue macros though ;-)
> -BPB (Yes, I'm serious.)
Hope so. Tired of people with a fish to fry :-)
David Harley
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: >
: > : it's quite understandable that you got confused; though such FAQs are
: > : useful, they are not written well enough for the average computer user
: > : out there.
: >
: > Thanks. It's always good to feel appreciated.
: Hey, I said they were useful. Can't do anything about the fragile
: egoes though :-)
I can think of easier ways of getting my ego massaged than spending
time I can't afford on maintaining these FAQs. And if I spent my
time waiting for the gurus to say something nice about them, I'd
be a sad and unproductive person. But that was gratuitously rude.
Not only to the whoever wrote that bit of the FAQ, but to 'the
average computer user'. Now if you'd been talking about management...
tar...@aol.com
>Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
>: > Thanks. It's always good to feel appreciated.
>: Hey, I said they were useful. Can't do anything about the fragile
>: egoes though :-)
>I can think of easier ways of getting my ego massaged than spending
>time I can't afford on maintaining these FAQs. And if I spent my
>time waiting for the gurus to say something nice about them, I'd
>be a sad and unproductive person. But that was gratuitously rude.
If you can't do something right, then perhaps you shouldn't do it at all.
But that's not even the case here. As for waiting for gurus to say
something nice, this is absurd. If instead of waiting for something nice
to be said, you took their criticism without getting your fragile ego in
the way, then you would end up with an improved FAQ. Did you go back and
change that very confusing section after it confused and scared that guy?
I forgot you don't have time.
>Not only to the whoever wrote that bit of the FAQ, but to 'the
>average computer user'. Now if you'd been talking about management...
It's rude to confuse people with your own confusions.
Regards,
Tarkan Yetiser
VDSARG
David Harley
tar...@aol.com wrote:
:
: >Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: >: > Thanks. It's always good to feel appreciated.
: >: Hey, I said they were useful. Can't do anything about the fragile
: >: egoes though :-)
: >I can think of easier ways of getting my ego massaged than spending
: >time I can't afford on maintaining these FAQs. And if I spent my
: >time waiting for the gurus to say something nice about them, I'd
: >be a sad and unproductive person. But that was gratuitously rude.
: If you can't do something right, then perhaps you shouldn't do it at all.
I think that speaks for itself.
: But that's not even the case here. As for waiting for gurus to say
: something nice, this is absurd.
That's why I don't do it. As I think I stated clearly enough for
you, if not the 'average computer user', in my previous post.
Which isn't to say that I don't appreciate it when someone whose
opinion I respect -does- say something nice. However, that isn't why
I do it. Nor will I go away and play Mornington Crescent because you
think it's a waste of space.
: If instead of waiting for something nice
: to be said, you took their criticism without getting your fragile ego in
: the way, then you would end up with an improved FAQ.
For a year and a half I've been attempting to improve it in exactly
that way. It's been gone over by some very competent individuals,
many of whom do not pull their punches. None of them thought it
necessary to dismiss the entire document (much of it written by
people who may know almost as much as you....) as badly written.
Certainly if I hadn't incorporated comments and additions over time,
it would have been a very different document, and much less useful.
: Did you go back and
: change that very confusing section after it confused and scared that guy?
: I forgot you don't have time.
You're right, I don't. I haven't even posted the thing for
several weeks because there was a serious error of fact that needed
addressing urgently, and even now only has a band-aid over it, and I
don't have time to do it thoroughly right now.
But I won't apologise to you or anyone else for the fact that I
can't devote the time I'd like to maintaining -any- of my FAQs.
Are you under the impression I'm paid for this? That I've signed
some sort of Service Level Agreement? That it's the biggest, or
even the only thing in my life?
And as it happens, I still haven't seen the original post, so I
can't comment on what he was confused and scared about. The
quality of the writing?
: >Not only to the whoever wrote that bit of the FAQ, but to 'the
: >average computer user'. Now if you'd been talking about management...
: It's rude to confuse people with your own confusions.
What, pray, am I confused about? If the extract you've taken exception
to is confusing, then I take editorial responsibility for it. I'll
even take a look at it when I've finished editing elsewhere in part 4
and see if I can make it clearer. But you do not have the right to
assume that every bit of the FAQ which doesn't please you is down to
my incompetence and ignorance. Or to bully me for having the temerity
to talk back to the big boys.
Shirley Worrall
On 29 Nov 1996 17:42:44 GMT, tar...@aol.com wrote:
>
> From: har...@europa.lif.icnet.uk (David Harley) wrote:
>
>>Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
>>: > Thanks. It's always good to feel appreciated.
>
>>: Hey, I said they were useful. Can't do anything about the fragile
>>: egoes though :-)
>
>>I can think of easier ways of getting my ego massaged than spending
>>time I can't afford on maintaining these FAQs. And if I spent my
>>time waiting for the gurus to say something nice about them, I'd
>>be a sad and unproductive person. But that was gratuitously rude.
>
>If you can't do something right, then perhaps you shouldn't do it at all.
>But that's not even the case here. As for waiting for gurus to say
>something nice, this is absurd. If instead of waiting for something nice
>to be said, you took their criticism without getting your fragile ego in
>the way, then you would end up with an improved FAQ.
I don't remember any guru criticising the FAQ. I'm sure many people
(me, for instance) are grateful for the time and effort people like
David put into maintaining the FAQs.
>Did you go back and change that very confusing section after it
>confused and scared that guy? I forgot you don't have time.
Tarkan, it seems you just can't help yourself!
You were invited to make a contribution, but I'm pretty sure your
response was along the lines that you didn't have time to help.
If you choose to make patronising and offensive comments, you
shouldn't be surprised when people are offended.
>
>>Not only to the whoever wrote that bit of the FAQ, but to 'the
>>average computer user'. Now if you'd been talking about management...
>
>It's rude to confuse people with your own confusions.
Right...
>
>Regards,
>Tarkan Yetiser
>VDSARG
>
--
Shirl
-----------------------------------------
Mail: s...@dial.pipex.com
WWW: http://dialspace.dial.pipex.com/sfw/
-----------------------------------------
Tarkan Yetiser
In article <57ndd3$i...@charlie.lif.icnet.uk>,
har...@europa.lif.icnet.uk wrote:
> I do it. Nor will I go away and play Mornington Crescent because you
> think it's a waste of space.
Who said it was a waste of space? You're exaggerating the issue. As
for Morning Crescent, I think that would be Alan's game :-)
> many of whom do not pull their punches. None of them thought it
> necessary to dismiss the entire document (much of it written by
> people who may know almost as much as you....) as badly written.
Nobody said you should dismiss the entire thing.
> But I won't apologise to you or anyone else for the fact that I
I don't recall asking for an apology.
> can't devote the time I'd like to maintaining -any- of my FAQs.
> Are you under the impression I'm paid for this? That I've signed
> some sort of Service Level Agreement? That it's the biggest, or
> even the only thing in my life?
I sure hope not.
> : It's rude to confuse people with your own confusions.
>
> What, pray, am I confused about? If the extract you've taken exception
> to is confusing, then I take editorial responsibility for it. I'll
> even take a look at it when I've finished editing elsewhere in part 4
The confusion was in a particular section; this has nothing to do with
your being confused or not. The "you" above is more like "one", not
you personally. But that's what you get when you tell me that pointing
out a discrepancy is rude.
> and see if I can make it clearer. But you do not have the right to
> assume that every bit of the FAQ which doesn't please you is down to
> my incompetence and ignorance. Or to bully me for having the temerity
> to talk back to the big boys.
I apologize if it sounded that way. That was not my intention at all.
Nor did I ever say you are incompetent or anything like that. All I
said was that such FAQs are useful, but not necessarily written well
enough for the average user. It's a fact for many FAQs. Don't take it
so personal, I wasn't trying to call your baby ugly :-)
Tarkan Yetiser
In article <32a34461...@newnews.dial.pipex.com>,
s...@dial.pipex.com wrote:
> If you choose to make patronising and offensive comments, you
> shouldn't be surprised when people are offended.
Shirl,
you have no idea what you're saying. Offensive comments?
Bruce Burrell
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
>
> In article <32a34461...@newnews.dial.pipex.com>,
> s...@dial.pipex.com wrote:
> > If you choose to make patronising and offensive comments, you
> > shouldn't be surprised when people are offended.
>
> Shirl,
>
> you have no idea what you're saying. Offensive comments?
Does this mean that you're agreeing that they were patronizing, then?
Just asking.
-BPB
Tarkan Yetiser
In article <57q9jf$o...@lastactionhero.rs.itd.umich.edu>,
Glad you asked. I really didn't intend to take a confession from Dave.
It ended up that way; he sounded hurt. And I apologized in another
message for the direction this thread took. But I sure don't need
people with an axe to grind to add more fuel to the fire.
David Harley
: > Hey, I said they were useful. Can't do anything about the fragile
: > egoes though :-)
: Hey, Tarkan: if you feel anything is unclear, I'm sure David would
: welcome your contributions to make it better. The FAQ contributor list is
: hardly closed to qualified folks who aren't participating already.
: -BPB (Yes, I'm serious.)
Thank you. I do -welcome- sensible corrections and contributions,
and perhaps it would have saved some acrimony if I'd simply said
so. But I didn't claim to be saintly, just to be more competent
and less egotistical than was implied.
In fact, the latest version -does- build on some of the stuff that's
come up in what I've seen of this thread with regard to this section.
As the original post has finally reached my server (do other Europeans
find they get most of their threads back-to-front?), I'll consider
whether it needs to be re-edited in line with that posting for the
next update.
The current version reads as follows. Corrections will be
considered without prejudice, irrespective of the source. ;-)
[NB This incorporates a couple of corrections which aren't
in the version I posted a couple of days ago.]
Tarkan, I normally credit significant input (corrections and
suggestions as well as contributed text) in the contributors
section. I haven't done so in this case because I seriously
doubted whether you'd want to be included, given the content
of this thread to date. If you have no objection, I'll amend
that in the next update.
--------------------------------------------------------------
"There are also reports of a trojanized AMI BIOS - this is
not a virus, but a 'joke' program which does not replicate.
The malicious program is not on the disk, nor in CMOS, but
was directly coded into the BIOS ROM chip on the system board,
by a rogue programmer at American Megatrends Inc., the BIOS
manufacturers.
If the date is 13th of November, it stops the bootup process
and plays 'Happy Birthday' through the PC speaker. In this
case, the only cure is a new BIOS (or motherboard) - contact
your dealer. The trojanized chip run was BIOS version M82C498
Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy
Kuo's "What is NOT a virus" paper."
--------------------------------------------------------------
David Harley
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: Who said it was a waste of space? You're exaggerating the issue. As
: for Morning Crescent, I think that would be Alan's game :-)
He's certainly promoted it in Usenet..... However, the radio original
has brightened my Saturday's for many years. B-)
: > can't devote the time I'd like to maintaining -any- of my FAQs.
: > Are you under the impression I'm paid for this? That I've signed
: > some sort of Service Level Agreement? That it's the biggest, or
: > even the only thing in my life?
: I sure hope not.
Don't worry. It's not. B-)
: The confusion was in a particular section; this has nothing to do with
: your being confused or not. The "you" above is more like "one", not
: you personally. But that's what you get when you tell me that pointing
: out a discrepancy is rude.
Pointing out a discrepancy isn't rude. It's all a matter of how
brusquely it's presented. I'm not sure it's a discrepancy as such,
but it merited improvement and I've attempted to do that.
: > and see if I can make it clearer. But you do not have the right to
: > assume that every bit of the FAQ which doesn't please you is down to
: > my incompetence and ignorance. Or to bully me for having the temerity
: > to talk back to the big boys.
: I apologize if it sounded that way. That was not my intention at all.
: Nor did I ever say you are incompetent or anything like that.
Fair enough. No doubt I overreacted: I generally do..... B-(
: All I
: said was that such FAQs are useful, but not necessarily written well
: enough for the average user. It's a fact for many FAQs.
You have a point. As FAQs and other freebie resources age, the
originator's efforts tend to go more into other projects inc.
spin-offs. I admit that this is true to a degree of the a.c.v. FAQ,
and it's likely to become more true in the near future.
: Don't take it
: so personal, I wasn't trying to call your baby ugly :-)
More of an elder sibling. B-)
Now if I thought you'd slighted the Mac FAQ........ ;-)
Tarkan Yetiser
In article <57sa91$3...@charlie.lif.icnet.uk>,
har...@europa.lif.icnet.uk wrote:
> Tarkan, I normally credit significant input (corrections and
> suggestions as well as contributed text) in the contributors
> section. I haven't done so in this case because I seriously
> doubted whether you'd want to be included, given the content
> of this thread to date. If you have no objection, I'll amend
> that in the next update.
Dave,
I require no credit for helping out with things like this. Knowing
that it might help somebody someday gives me great satisfaction.
David Harley
Tarkan Yetiser (tyet...@ptdprolog.net) wrote:
: > Hey, Tarkan: if you feel anything is unclear, I'm sure David would
: > welcome your contributions to make it better. The FAQ contributor list is
: > hardly closed to qualified folks who aren't participating already.
: I'll take a crack at it when I have some free time. Could use some
: reorganization too from what I can remember.
Agreed. But I don't have time. I'm not bleating about it: it just isn't
a high enough priority.
: Is it available in
: WinHelp format? It should be. Without the rogue macros though ;-)
Would be nice. But I haven't time to do that either.
Offers of help appreciated. Actual help appreciated even more. B-)
: > -BPB (Yes, I'm serious.)
: Hope so. Tired of people with a fish to fry :-)
I may have a fish but it's not biting..........