New BIOS resident CIH variant out there?
minor_wizard
attempting to register the .DLL files related to digital security, driver
signing, etc. During multiple efforts to do a parallel install, the problem
persisted.
So, we booted to a known virus-free boot floppy, then removed and re-created
the partition, formatted the freshly created partition and re-ran install.
It failed in the exact same manner, and on the exact same crypto files as
before. One of the setup log files even mentions 'tampered signature'.
Bad hardware has been suggested by my peers, but could this behavior be due
to a CIH variant modifying the flash upgradeable BIOS? Until now, CIH has
been known only for destroying BIOS'es, not 'going resident' in the BIOS. As
these malicious coding efforts are becoming more sophisticated, I wonder if
a new strain has appeared with this capability, to modify, and not destroy
the installed BIOS.
The CPU was an AMD Athlon. Multiplication bug, not virus?
All thoughts and opinions welcomed. I wouldn't speculate like this if the
affected files weren't all security related.
d'tho
PaX
if the damage routine had run then all you would get is a black screen and
no boot..
if you offer tech support do more research before asking such
questions,Chens little toy has been around a long time and is mentioned on
many AV companies web sites.
PaX
Ron
<david...@SPAMSUCKShome.com> wrote:
> I wonder if
>a new strain has appeared with this capability, to modify, and not destroy
>the installed BIOS.
Have you tried disconnecting the bios battery?
I am working on a pc that has a bios resident virus.
This stops boot from A drive and also HD.
It can be tricked by changing bios settings but only
for inadequate time [so far] to load A/V software.
The payload is a screen full of tiny laughing faces!!!
I don't think it's funny at all!
Ron.
Sugien
"Ron " <ron...@spamcb.net> wrote in message
news:3a2ea2d0...@news.mcb.net...
> On Wed, 06 Dec 2000 04:54:00 GMT, "minor_wizard"
> <david...@SPAMSUCKShome.com> wrote:
>
> >a new strain has appeared with this capability, to modify, and not
destroy
> >the installed BIOS.
>
>
> I am working on a pc that has a bios resident virus.
Are you saying you HAVE a BIOS resident virus on a pc you are working on, or
am I reading something into your above statement that isn't ?
> This stops boot from A drive and also HD.
> It can be tricked by changing bios settings but only
> for inadequate time [so far] to load A/V software.
here are you saying you HAVE CREATED a virus that can remain resident in the
BIOS and fire when the system starts? or am I again reading something into
your statements that isn't there?
> The payload is a screen full of tiny laughing faces!!!
> I don't think it's funny at all!
>
> Ron.
I would like some clarification; if for no other reason I and others whom
are working along similar lines as a purely academic pursuit with NO
intentions of anything ever going into the wild and are doing our testing in
completely isolated and as secure a system site as we can make them and we
sure don't like reinventing the wheel so to speak.
--
/}
http://www.zoomnet.net/~quick @###{ ]::::::Dino-Soft Software::::::>
\}
minor_wizard
"Sugien" <gen...@mindless.com> wrote in message
news:bICX5.262$g83.9...@news2.news.adelphia.net...
>
> Are you saying you HAVE a BIOS resident virus on a pc you are working on,
or
> am I reading something into your above statement that isn't ?
I am saying that I have some reason to suspect this. I am not flatly stating
that is so.
>
> > This stops boot from A drive and also HD.
> > It can be tricked by changing bios settings but only
> > for inadequate time [so far] to load A/V software.
>
> here are you saying you HAVE CREATED a virus that can remain resident in
the
> BIOS and fire when the system starts? or am I again reading something into
> your statements that isn't there?
>
This second statement is not mine. The symptoms described could be from
hardware failure. I've not heard of a virus which can stop a clean floppy
disk from starting if the BIOS has floppy boot enabled.
The scenario I am trying to describe involves virus-like activity
re-occurring during the crypto portion of WinMe setup after a known
virus-free floppy boot and re-partition . To my knowledge this should not be
possible. I'm starting to become more comfortable with the idea its just a
BIOS or CPU calculation bug.
d'tho
[T]
>
yes it can. plug n play bios 286+.
Bart Bailey <groom lake
>
>
> I would like some clarification; if for no other reason I and others whom
> are working along similar lines as a purely academic pursuit with NO
> intentions of anything ever going into the wild and are doing our testing in
> completely isolated and as secure a system site as we can make them and we
> sure don't like reinventing the wheel so to speak.
I was wondering if you saw that,
I don't think that wheel is likely to be invented anytime soon.
~~Bart~~
Sugien
"Bart Bailey >" <"groom lake" <chupa...@operamail.com> wrote in message
news:3A2FC613...@nethere.net...
if my findings are any gauge of what others delving into the same line of
testing are getting, I would agree with your post as stated.