BIOS modification trojans found
The malware installs modified code in the system board BIOS and adds instructions that are still executed during the computer's Boot Up Sequence process. The rootkit, called Trojan.Mebromi, attacks Award BIOSs manufactured by Phoenix Technologies and is very difficult to get rid of.
Mebromi operates by modifying the BIOS in the early boot phase. By overwriting the Master Boot Record (MBR), it can infect before the operating system loads, which can put Windows XP, 2003, Vista, and Windows7 at risk. In each case, the infected BIOS loads a file called hook.com, which checks to see if the MBR is infected and re-infects it if necessary. So far, only such infections have been reported from China. Fortunately, most commercially available antivirals are already capable to detect.
Actions of Mebrom.
[+]
In any case, the lesson on the discharge is given to antivirus developers, as the difficulty of this is obviously compounded by the fact that it is not easy to write a universal BIOS check / release / recovery utility that is so bombard-proof that it does not cause recovery and is guaranteed to work on every machine. However, it is definitely worth mentioning that in theory, not only the motherboard BIOS can be such a target, but also any device whose firmware can be attacked, such as a router.
Mebromi creates the following files:
- % Temp% \ cbrom
- C: \ bios.bin
- C: \ my.sys
- C: \ calc.exe
Source: antivirus.blog.hu
