New Alureon Bios Rootkit un-removable

Galdorf

Galdorf

Well-Known Member
Reaction score
502
Location
Ontario, Canada
Wow this thing is in the wild have a customer that has it, i have tried everything to remove this thing it prevents bios flashing and boot block writes.
Even if you manage to boot off the OS cd and go into the command prompt and do a fixmbr does not work, all av's on a bart cd can't remove it, even tdsskiller cannot remove this thing.
Slaving the hd is no use if you clean boot block put it back in original machine as soon as bios rootkit kicks in an re-writes the rootkit boot block short of replacing the motherboard there does not seem anything i can do, unless i can find a eeprom flasher and flash bios manually.
 
Galdorf said:
Wow this thing is in the wild have a customer that has it, i have tried everything to remove this thing it prevents bios flashing and boot block writes.
Even if you manage to boot off the OS cd and go into the command prompt and do a fixmbr does not work, all av's on a bart cd can't remove it, even tdsskiller cannot remove this thing.
Slaving the hd is no use if you clean boot block put it back in original machine as soon as bios rootkit kicks in an re-writes the rootkit boot block short of replacing the motherboard there does not seem anything i can do, unless i can find a eeprom flasher and flash bios manually.
Click to expand...

Fixmbr and slaving the hard drive isn't going to fix a BIOS infection. Don't some BIOS' have a read write lock in the setup? Also, what about those programs that clean the BIOS? I can't think of it off the top of my head, but I know there is one. I don't know if it would fix this, though.
 
NeutronTech said:
Fixmbr and slaving the hard drive isn't going to fix a BIOS infection. Don't some BIOS' have a read write lock in the setup? Also, what about those programs that clean the BIOS? I can't think of it off the top of my head, but I know there is one. I don't know if it would fix this, though.
Click to expand...

The machine is an old dell p4 i checked there is no bios write protection but the rootkit prevents writing to the bios, im looking at buying an eprom writer just need to buy one with wide range for different chips.
 
How'd you determine that it's infected at the bios level? I'm somewhat skeptical that it is. To demonstrate that it is, or isn't....put a test hard drive in that you've DBAN'd...install Windows...and if it's infected at the bios level, it should show symptoms as soon as you boot. If it's not, it'll work fine.
 
14049752 said:
How'd you determine that it's infected at the bios level? I'm somewhat skeptical that it is. To demonstrate that it is, or isn't....put a test hard drive in that you've DBAN'd...install Windows...and if it's infected at the bios level, it should show symptoms as soon as you boot. If it's not, it'll work fine.
Click to expand...


I tried clearing the bios pulled battery for hour and shorted the battery leads unplugged.

When i pulled the hd and slaved it to workbench machine repaired the boot sector ran full suite of virus/malware scans disabled all startup items, checked for non-signed files, re-checked the boot sector as soon as i put it back in and booted it the boot block was again infected.

I put in a new hd installed windows ran scan and the boot block was infected again.

the machine was not plugged into network or had any usb storage devices plugged in and used official ms widows xp home cd.
 
Hmm...interesting. I'm still a little skeptical, just a little less so. I'd really love to get my hands on that system! Any chance you could convince your customer to let you ship it to me for a few days? :D

Galdorf said:
I tried clearing the bios pulled battery for hour and shorted the battery leads unplugged.
When i pulled the hd and slaved it to workbench machine repaired the boot sector ran full suite of virus/malware scans disabled all startup items, checked for non-signed files, re-checked the boot sector as soon as i put it back in and booted it the boot block was again infected.
I put in a new hd installed windows ran scan and the boot block was infected again.
the machine was not plugged into network or had any usb storage devices plugged in and used official ms widows xp home cd.
Click to expand...
 
Btw I also found that a BIOS virus is very hard to catch
Click to expand...

I think it's more that a normal virus will infect pretty much any windows installation, but a BIOS virus can only infect a specific model or BIOS version. That's what I was lead to believe
 
iisjman07 said:
I think it's more that a normal virus will infect pretty much any windows installation, but a BIOS virus can only infect a specific model or BIOS version. That's what I was lead to believe
Click to expand...

It's probably even possible to infect a bios vendor, across a series of different bios versions. Having said that, I'd almost be willing to eat my shoe if it's a bios infection a P4 Dell desktop.


soon as i put it back in and booted it the boot block was again infected. <snip> the machine was not plugged into network or had any usb storage devices plugged in and used official ms widows xp home cd.
Click to expand...

My question to that would be....how'd you know it was infected after a clean install? How'd you get your rootkit scanner on the system, or did you scan it on another system? The more I think about this, the less I'm even willing to believe it's a bios infection, instead of something you're just overlooking. Technibble has had far too many instances of people claiming they have some new super virus that's impossible to remove without cleansing fire and it just ends up being some routine thing.
 
A Dell p4 I fixed had two jumpers one to clear it and one to prevent writing to it you need to pull one to do the other. Or short both or something stupid and tacky.

I did not find this out till I found a PDF describing the procedure (from Dell). It will be two sets of jumper pins near each other. I also remember it was written on the board
"clear CMOS"
"write protect"

Or something to that effect, I hope that helps. What model of Dell is it?

EDIT: You actually had to change BIOS settings with it stuck in the change position, you had the option of leaving it that way or moving it back into write protected mode. To clear it you had to do both. But you could only change settings with the jumper in that specific pin.
 
Last edited:
Yeah, I've seen a few of those. That's why i sometimes tell people to check the documentation. Probably been a lot of good boards thrown out when just removing the battery doesn't cut it.
 
Galdorf said:
Wow this thing is in the wild have a customer that has it, i have tried everything to remove this thing it prevents bios flashing and boot block writes.
Even if you manage to boot off the OS cd and go into the command prompt and do a fixmbr does not work, all av's on a bart cd can't remove it, even tdsskiller cannot remove this thing.
Slaving the hd is no use if you clean boot block put it back in original machine as soon as bios rootkit kicks in an re-writes the rootkit boot block short of replacing the motherboard there does not seem anything i can do, unless i can find a eeprom flasher and flash bios manually.
Click to expand...

How does it prevent BIOS flashing?
 
Are you saying you replaced the original drive with a clean install and you still have the rootkit infection?
 
Last edited by a moderator:
gazza said:
Are you saying you replaced the original drive with a clean install and you still have the rootkit infection?
Click to expand...

Yes i installed a brand new drive installed windows used kis 2011 boot cd scanned boot sector and the rootkit was there.

I have scanned the boot cd on my machine and ubcd4win it is clean also i tried tdsskiller from ubcd4win it also picks it up when i hit clean it goes though with no errors i scan its gone reboot the machine and it is back again.

I just need to flash the bios i checked the motherboard on this dell p4 there is no write protect jumper for bios i have flashed these before they are early p4 boards with ddr.

Well i would not say its totally un-removable removing the bios chip and flashing would fix it the eprom burners are not expensive anyways.

The windows cd was a genuine microsoft xp home oem i have used it for quite some time.

i did not hook lan up or plug in any usb storage devices.

The boot block rootkit is nasty it is Alureon variant it also runs in 64 bit it installs and hides a new version of Zeus bot this is the hardest one i have seen to date to remove guess the bot writers are getting more creative.
I have tried 10 av rescue cd's they detect it some don't the ones that don't scan boot sectors, all major av rescue cd pick it up boot block rootkit and zeus bot cleans it but as soon as machine reboots wham it is back again, i made sure all startup items were disabled and checked signatures of all drivers and files.
 
Last edited:
Bios level rootkit, I have heard of this before but have never come across this in the shop.

You want to try Killcmos to see if can get rid of it.

If you have tried removing the cmos battery, removing the cmos jumpers then you are only left with swapping out the bios chip and erasing it. Here is a link to the Biosman if you need to do this http://www.biosman.com/replacement.htm

Just found out this, the Biosman site states NOTE: We cannot upgrade DELL computer BIOS's. Dell does not provide the binary file we need. Also, laptops can be done if the BIOS is available. Please email the BIOS you want programmed when ordering laptop BIOS's.

Maybe we need to be placing a passwords on the bios to prevent infections?

Please let us know how you get on.
 
Last edited by a moderator:
Ran killcmos flashed bios to current version, ran kis2011 rescuecd removed boot block rootkits and zeus bot restarted machine a few times then ran kis2011 scan it is now clean.
 
Galdorf said:
Ran killcmos flashed bios to current version, ran kis2011 rescuecd removed boot block rootkits and zeus bot restarted machine a few times then ran kis2011 scan it is now clean.
Click to expand...

Good to know it can fixed without resorting to a MB replacement. How exactly was it preventing you from flashing the BIOS (prior to using killcmos)?
 
Glad you got it sorted, that's the good thing about Killcmos you don't need to open the case to remove to battery or jumpers to reset the cmos.

For everyone Killcmos is a free program available on the Hiren's Boot CD.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
7 Brand new computers all intermittently blue screening, I'm at a loss here.
3 4 5
Replies
84
Views
11K
thecomputerguy
thecomputerguy
NJW
Lenovo IdeaCentre B540 AIO - no BIOS/UEFI display, but boots normally
Replies
8
Views
5K
NJW
NJW
Mr. Ingram's Computer Repair & Shoppe
Custom build a few years old, motherboard refuses to boot.
Replies
16
Views
1K
CLC
CLC
Archon Prime
Bootup Issue with AIO Dell
2
Replies
20
Views
4K
Archon Prime
Archon Prime
M
New Build, i7700k, MSI z270m Mortar- Bios video corrupted?
Replies
3
Views
941
Bryce W
Bryce W
Back
Top