Is there a virus that cannot be destroyed by re-formatting the hard drive it
has infected? For example, it might have infected the BIOS on the system
board.
Possible? Sure. I know there have been “proof of concept” demonstrations,
and I’m certain it’s happened in the wild as well.
Is it likely?
I don’t believe so. Further, I believe that when faced with a virus
infection you’re probably wasting your time worrying about the BIOS.
I’ll explain why.
]]>
(Background: What’s a BIOS?)
The reason that Microsoft Windows has more viruses that any other operating system isn’t so much about its vulnerabilities as it is about it’s success. People will argue which is more of a contributing factor, but there’s no denying that the fact that Windows runs on a gazillion machines is a huge factor.
By writing a single virus that targets Microsoft Windows, a virus writer can potentially infect more computers on the planet than by writing it to target any other system. It’s no secret that virus and malware writers regularly target the greatest potential audience so as to get the greatest number of infections for their malicious intent.
Now, while Windows is relatively standard across PCs, BIOS’s are not.
The BIOS used in a PC built by one manufacturer may be radically different than that from another company. A virus that attempts to target a BIOS vulnerability or to somehow “hide” within a BIOS has to, essentially, be rewritten for or at least be customized and aware of every different BIOS that it might want target.
It’s easier to simply rely on user apathy and target unpatched vulnerabilities in Windows. One virus per vulnerability, and all unpatched machines become malware’s playground.
That’s potentially a lot. A gazillion, even. 
So just like Mac or Linux malware, there may be a few BIOS targeting viruses out there, but they’re not even close to being as common as the more standard Windows-based malware.
Now, that’s not to say that there’s zero risk.
As you point out, a virus that manages to embed itself into the BIOS or BIOS’s flash memory has one extremely unique characteristic: it’ll survive even if you completely reformat and erase everything on your hard disk.
However, even that is easily remedied, either by resetting your BIOS to it’s factory image – which most modern motherboards support – or often simply by updating or re-flashing your BIOS.
My take: it’s not something I’d worry about at all just yet. In a rare case where malware appears to have survived a reformatting … well, I’d first look at all the other ways that a machine can get immediately reinfected as you rebuild it from scratch (lack of firewall, infected external hard drives and the like). Only after eliminating those might I think about checking or resetting the BIOS.
It’s just not that common a problem right now.
AFAIK, the only way to even get a virus on the BIOS is to be careless while flashing it. I might be wrong, so correct me if otherwise.
28-Apr-2010
It’s already happened! Remember the Chernobyl virus? http://en.wikipedia.org/wiki/CIH_(computer_virus)
28-Apr-2010
If it’s a case of re-infection even after reformatting the hard drive, it could be that there is a ‘stub’ of the virus in the boot sector of the hard drive. Whilst there are several ways to eliminate this stub, one of the easiest I’ve used is to convert it to FAT 32, then back to NTFS. This re-writes the boot sector.
I have been doing PC support for nearly 25 years.
I have recently run into a rash of PC’s that have lost their video abilities. Those being on the motherboard themselves. Everything else on the PC works fine. Adding a video card does not work. These PC’s also do not have BIOS jumpers to reset. They became totally useless since without video you cannot even flash the BIOS. Myself and other technicians I know could find any explanation for this. Most of the people who lost their video reported having a virus warning right before they lost their video. This is not proof of a BIOS virus but we are very suspectful that this is the case.
How come BIOSes need to be upgradable anyway?
Shirley its job is just to load the OS from the HDD or CD and pass contol to it. That’s a very simple job.
Anything else the BIOS might have done in the past would be better supported by kernel modules in the loaded OS.
With that in mind, wouldn’t the best thing be to write protect the BIOS flash and forget about it?
To Fred (April 28, 2010 post), the virus warning they saw right before they lost video, was Not likely their anti-virus program. There is a virus out there right now that is a popup of a virus warning and to the user it will appear as if it is their anti-virus program telling the of it and to “click here” to get rid of it. Even if they only try to X out of it, the virus immediatly comes in and starts to run it’s malware. I’ve seen it a few times on my job as the office computer administrator. The computer is shot, the video was just the start. It may be in the bios, but it’s more likely in the hard drive and is burned in it. Solution – replace computer.
To Fred,
Trying booting into safe mode or VGA mode by pressing F8 on most sytems.
http://www.bit-tech.net/news/bits/2009/03/24/researchers-create-bios-malware/1
http://www.phrack.org/issues.html?issue=66&id=7
This does not look good.
26-Aug-2010
I turned off my puter and the next morning there was no video. I never received a virus warning, but a teck friend checked it out and said I had a video virus. I went into safe mode and set it to vga mode and still have the same problem. Everything works including the audio. Could there be another problem. I reset the bios and still have the same prob. Any other sugesstions?
I have an HP XW4400 workstation that will ONLY boot to the hard drive. F10 will not take you into setup. None of the F-keys will work. I don’t even get the buffer overflow beep when holding an f-key down unless I cleared the CMOS (2006 computer) first. I disconnected both the only hard drive and the CD-ROM and even then I don’t get any kind of error. Not even a no boot device found or hit F1 for setup message. I’ve swapped keyboards also. This sounds a lot like a bios virus, since it WILL boot to the hard drive.
Any thoughts?
30-Mar-2011
So if a virus complex (there are many components to the infections I have – mail worm, BHO worms, IM-propagating spear-phishing virus, rootkits, and possibly many more — which includes Alureon at the very least) has taken over all of my systems, infected my routers, and is spoofing googleapis.com to my system… if the BIOS passwords always get erased as soon as I (or any tech I’ve hired) sets one (and all of my BIOS settings get put back to the hacker’s idea of what the default settings should be for quickboot, virtualization support, audio, video, AHCI, XD bit, etc) as soon as the BIOS password disappears again after one or two restarts of any given system…
And then the BIOS passwords start sticking around just fine, but the settings get set back to the weird “defaults” again anyway… whether or not there is a hard drive connected in any way in the box…
Do you still think that it’s basically impossible for someone to have a BIOS virus, or is it possible it could have somehow infected the memory or the video built into the motherboard?
A security expert who does some “white hat” hacking (non-aggressive only) has examined several logs he’s had me create using SysInternals tools from Technet.Microsoft.com and several spyware-logging tools, and asked me questions about how and when the BIOS changes settings and passwords, and has said that he thinks it likely that I have a rare BIOS virus — from when I unknowingly was having a different malware “professional” help me with my computers, until I found out that he was in trouble with law enforcement and stopped having anything to do with him.
But my security pro friend says I can’t just flash out a BIOS virus, that I will need to actually physically pop out and replace the BIOS chip — that I can’t even just mod it out of the BIOS using the SPI interface on the motherboard. Replacing the BIOS chip for each of my computers, in addition to flashing each of my routers, getting rid of every peripheral that has flashable firmware, and “nuking” all data off every hard drive I own will probably mean an additional month of waiting before I can boot any sort of digital device with a processor in the house… after already having been basically digitally disabled since the CPUs started frying themselves by overheating last October when they were being overclocked too high for too long by this collection of crud.
What do *you* think? Can we get rid of it without replacing the BIOS chip, if indeed it is a BIOS virus, as you said would easily cure that sort of problem (in another of your articles about BIOS viruses)? If so, how do I keep it from coming back? My security friend will be helping me remotely, as he’s out of state. So I’m trying to find an option that won’t require me taking such a high risk of destroying the entire motherboard through little mistakes. Sure, flashing a BIOS is dangerous also, but in my mind not as risky as a newbie trying to pop out and replace a microchip physically.
Unfortunately, I’m very restricted in finances after all this, and can no longer afford to hire someone to do it for me… if I can afford to replace them at all. The library doesn’t provide a very long time limit, and I need to get a clean computer and router working at home so I can finish my degree, my portfolio, and find a job.
Any suggestions on where to learn more about BIOS viruses or whatever you think might be happening in my case?
I know a lot about computers as well, but I have never seen a BIOS virus. (I know it is the BIOS.) It’s probably a 5-8 year old Dell computer, and so when I turn it on it goes *beep* *beep* *beep* *beep* (A beeping noise.) and then shows several smiley faces. After it shows the smiley faces it shuts down.
I was installing random access memory to make the ridiculously slow computer slightly faster because, it has only 256 mega bytes of RAM. First, I installed one stick of RAM and it worked. Next, I installed another stick of RAM. Finally, I turned it on and the BIOS error occurred. I think (even though it probably isn’t possible) that the RAM had some kind of virus. This might be vital information: I got the RAM out of a old computer.
08-Sep-2011
When the BIOS finds something wrong with your computer, it flashes an error message on the screen or makes your computer emit a series of beeps. These beeps are actually diagnostic messages.
Computer Repairs Melbourne
I think you left one thing out. Bios chips in Tablets. These all run on the same hardware. This would make it more vulnerable to the bad guys. This WILL be a problem if it is not already. Best advice is stay on a desktop that you built and avoid accessing personal information on the web with those nifty new tablets, Androids, and iPhones.
I have 2 laptops because I go to school online and need a backup just in case… I have a 2 and a half yr. old Dell studio 1535 laptop and a brand new Acer 17.3 in. widescreen laptop, but my dell is not able to start for the last two days. Both days I had to wait for the computer to repair itself, and after it did my Charter anti-virus popped up and said virus cleaned .There were 4 instances of some ibryte virus on my computer. Today it did the same thing, but this time I did system restore myself to get rid of this. I think these viruses are getting in through windows updates. I tried to click on the little icon in the taskbar and it hid itself until I was shutting the thing down. Is it possible for viruses to come in disguised as windows updates?
Well I got an EFI virus on my macbook pro. Mac’s efi is somewhat similar to bios in pc. EFI is just a file. I highly suggest people to password protect their bios and make sure it disable bios update if there’s settings in the bios.