English Community

Software and Operating SystemSecurity & Malware
All Forum Topics
Options

12 Posts

04-26-2014

Van Nuys, CA

22 Signins

257 Page Views

  • Posts: 12
  • Registered: ‎04-26-2014
  • Location: Van Nuys, CA
  • Views: 257
  • Message 1 of 7

BIOS Infected with a Virus

2014-09-05, 0:10 AM

A hacker got into my home network and altered the BIOS on both of my Lenovo systems (I know this because the BIOS version numbers changed along with Windows being altered).

 

I tried booting the BIOS flash CD (no hard drives connected) which appeared to work, except I am seeing a message during POST that was never there before:

 

The system comes up with the THINKCENTRE logo

 

The logo disappears and, for a very brief second, a message comes up (I had to video record it to see it):

 

AHCI Option ROM BIOS Revision: 01.07.10 Date: 12-05-2008

Copyright (c) 2006-2008 Phoenix Technologies, LTD

 

Port 00: ST3500630AS  SATA-2, Hard Disk

Port 01: TSSTcorp CDDVDW TS-H653F SATA-1, CD-ROM/DVD-ROM

 

AHCI BIOS installed!

 

Then the THINKCENTRE logo comes back on. Normal boot continues.

 

I have owned these systems for a number of years and this is the first time I have ever seen this message. Prior to the hack attack, the system had the most current BIOS version. After, both systems had very old version numbers (and both machines had different versions when they used to be the same). AHCI had always been enabled.

 

One one system, I set the CMOS_CLEAR jumper to 2-3 and allowed it to boot the BIOS flash CD, bypassing normal boot options in hopes not to load the virus during the flash operation. The screen stayed black, the CD booted, and there was a series of beeps for a few minutes, after which the system shut down. I moved the CMOS_CLEAR jumper back to 1-2 and turned on the system. the fans come on high speed, there is no picture and after a few seconds, the system shuts down. No picture, no boot, nothing.  I tried flashing again with the jumper in the normal position, but it will not boot.  I tried flashing again with the jumper on 2-3, which does get the CD to boot and it makes beeping sounds like it's flashing (still no picture). After a few mintues it shuts down. Returning the jumper to 1-2 still gives me a dead system.

 

The second system I left the jumper on 1-2 and flashed the BIOS with the same CD (they are both the same systems). I get prompted to change the serial and model (hitting N for both). The screen shows the flashing operation. When done, I hit the space bar and remove the CD.  I then got some very strange messages:

 

Phoenix TrustedCore)tm) Desktop for Thinkcentre.

Copyright

.....

bla bla bla

.....

0271: Check date and time settings

ERROR

0162: Configuration Error - Default configuration used

ERROR

TCG Error:TPM Initialization Failed.

ERROR

0662: Configuration Change Has Occurred

ERROR

0162: Configuration Error - Default configuration used

ERROR

0198: System Security - Unauthorized BIOS Update Attempted.

ERROR

0197: System Security - Unauthorized CMOS change detected.

 

Press F1 for setup

 

I tried again several times to flash the BIOS. I turned the system on with the CMOS_CLEAR jumper on 2-3 then returned it back to 1-2 before flashing again.  I tried removing the CMOS battery for 20 minutes. I tried flashing without the CMOS battery installed. All this with no HD installed (the AHCI message didn't include the Port 00: line).

 

After several attempted flashes and adjusting several BIOS options on and off (except leaving AHCI on) I got the error messages to stop, but still get the AHCI message, which as I mentioned, never happened before. I would think that hooking into the AHCI would give the virus the ability to write altered MBRs to

 

Now the question:

Is there a way I can pull a copy of the BIOS from the EEPROM and compare it to a known good copy to verify that what's on the motherboard is what it's supposed to be?

 

Is there a way to flash the BIOS without loading it prior to boot?

 

Is there a way to wipe all areas of the BIOS, including "protected" areas (should the virus be loaded there) so I can have a clean factory BIOS image?

 

There are other CMOS clear jumpers (CMOS_CLRHW, another marked CMOS_CLRHW2 but with no pins but what appears to be shorting pads). Could those help?

 

Reply
Options

12 Posts

04-26-2014

Van Nuys, CA

22 Signins

257 Page Views

  • Posts: 12
  • Registered: ‎04-26-2014
  • Location: Van Nuys, CA
  • Views: 257
  • Message 2 of 7

Re: BIOS Infected with a Virus

2014-09-05, 23:03 PM
Update:

I examined the hard drive from the system and found "unallocated" gaps between partitions. I suspect that is where the virus is being hidden - outside OS accessible areas.

Just as a sanity check to see if the virus was still in the BIOS or not, I installed a blank 500g hard drive and ran the Lenovo recovery media. At the first reboot, I instead shut down and examined the partition map. I found that while there were no gaps between the partitions created by the restore discs, there was a suspicious 500m unallocated area at the end of the drive. It appears to me that the virus in the BIOS reserved this area for placing additional code when the internet gets accessed.

Is there no way to clear this from the BIOS?
Reply
Options

1232 Posts

09-12-2012

US

2341 Signins

21237 Page Views

  • Posts: 1232
  • Registered: ‎09-12-2012
  • Location: US
  • Views: 21237
  • Message 3 of 7

Re: BIOS Infected with a Virus

2014-09-06, 1:39 AM

Howdy JeffPalmer, my name is Hoov and I will be helping you with your problem, but we need to relocate to do it.

 

Please go to SpywareHammer.com and sign up for an account. Then once your account gets approved (should not take long if you send me a Private Message here just before you do it there I will be watching for it) Follow the instructions in this post,  [NEW Instructions!] What Do I Do First?  and put ATTN Hoov in the topic, we will start working as soon as possible. Please also let me know if you have access to another computer with a CD burner (or a 1 GB thumbdrive) and a broadband internet connection.

 

Hoov
Former Microsoft MVP - Consumer Security
SpywareHammer.com
Reply
Options

12 Posts

04-26-2014

Van Nuys, CA

22 Signins

257 Page Views

  • Posts: 12
  • Registered: ‎04-26-2014
  • Location: Van Nuys, CA
  • Views: 257
  • Message 4 of 7

Re: BIOS Infected with a Virus

2014-09-06, 2:33 AM
Thank you. Getting on it.now.
Reply
Options

1232 Posts

09-12-2012

US

2341 Signins

21237 Page Views

  • Posts: 1232
  • Registered: ‎09-12-2012
  • Location: US
  • Views: 21237
  • Message 5 of 7

Re: BIOS Infected with a Virus

2014-09-06, 2:39 AM

Check your email.

Hoov
Former Microsoft MVP - Consumer Security
SpywareHammer.com
Reply
Options

1 Posts

07-18-2020

US

2 Signins

5 Page Views

  • Posts: 1
  • Registered: ‎07-18-2020
  • Location: US
  • Views: 5
  • Message 6 of 7

Re:BIOS Infected with a Virus

2020-07-18, 17:53 PM
Hey my computer doing the same thing. What has happened
Reply
Options

2375 Posts

05-01-2010

US

12621 Signins

145598 Page Views

  • Posts: 2375
  • Registered: ‎05-01-2010
  • Location: US
  • Views: 145598
  • Message 7 of 7

Re:BIOS Infected with a Virus

2020-07-18, 18:45 PM

This discussion is 6 years old. You will need to provide more details including the model name of the computer, operating system and version, status of your security software/scans, and most recent BIOS update. Also add what steps you have  to taken to troubleshoot this issue. Perhaps with that information someone can help.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.


Deutsche Community Comunidad en Español English Community Русскоязычное Сообщество Communidade Portugues


Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete