Tampering BIOS and MBR can cause continuous re-infection, however, this malicious hasn't specific symptom so far and is being expected for test.
Because tampered BIOS and MBR are difficult to be treated by anti-virus SW, we want to let you know how to treat.
2. Spreading path and symptoms of infection
Following URL was known as the first spreading source; however, it has been blocked now.
The word "test" in URL can be another reason that it was designed to be tested.
This malicious file can be downloaded not only the URL above, but attachment, messenger, and SNS link.
Lately found malicious file checks the BIOS version of infected PC. In case of the BIOS is known as Award BIOS, it will try to tamper MBR.
Following figure is about generated file by this malicious file and infection information of tampered BIOS/MBR.
* Generated file
* The order of creation
* Procedure details
* Create bios.sys / Check the stats of Award BIOS / In case of it isn't Award BIOS
Upon infected, first, bios.sys will be created.
After bios.sys is being created, following infecting procedure will be in progress.
After that, bios.sys will check whether infected PC's BIOS is Award BIOS or not. (If it wasn't Award BIOS, it will appear same infected symptom.) If it adopted Award BIOS, bios.sys will find SMI_PORT and set the size of BIOS.
* Process of creating bios.bin and my.sys
bios.sys will drop my.sys. And it saves current BIOS information to bios.bin.
Besides, it will try to add hook.rom in bios.bin in case of the absence "hook.rom" in saved BIOS information.
* Process of creating cbrom.exe and hook.rom / BIOS infection
In this procedure, cbrom.exe tool will be generated, which will insert hook.rom into ISA ROM with /isa parameter as following figure.
Now, BIOS is being infected.
* Process of tampering MBR
With the process of infecting BIOS, MBR can be tampered by host file. It will save normal MBR on certain sector for backup.
Following figure shows the extracting normal MBR value before saving on sector 7.
After, it will tamper normal MBR.
We can find the value of normal and malicious MBR as following.
* Infected symptom of my.sys
Additionally created my.sys file is known as performing Hooking against IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL. It has implemented to protect modifying tampered MBR.
In Device_Object Structure, it locates Driver_Object and contains Stealth Function code with controlling Call result through pre-execution of rootkit.
Upon completed infecting this malicious file, "Find it OK" will appear on booting.
To print "Find it OK" that sentences is located on tampered MBR.
3. How to recover BIOS, MBR manually
Once infected by malicious file above, and tampered BIOS and MBR, complete treatment can be difficult. If infected, you can recover your PC as following procedures.
* Recover BIOS manually
The easiest way to recover tampered BIOS is using BIOS update module by its manufacturer.
Following guide is the one of example in case of GIGABYTE's BIOS update module.
* How to recover MBR
If MBR was tampered, "Windows Installation CD" can work as following.
1. Use "Windows installation CD" and go to recovery mode.
2. Choose the directory to recover and type "fixmbr" Enter. And create new MBR.
"Find it OK" won't appear. And manual recovery is completed.
4. How to prevent
Due to the nature of BIOS and MBR, complete treating by Anti-Virus is difficult.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.