Need help on clearing CMOS and whatever memory on the moth..

Thank you very much for your knowlegeable advices.

I believe you are right that the bios was clean after reprogramming, but
unfortunately I didn't clear the cmos before plugging it in.

What happened was, while it was in the middle of booting process I realized
the cmos wasn't clean (may inlcude some other memories on the board in
addition to cmos), therefore I interupted the booting process, turned off
the system, reset the jumper to clear cmos, started the system again, the
virus symptom appeared (didn't recognized any hard drive in slave mode and
other weird things). The bios was taken out to compare with the original
image on the chip programmer, and was found that the bios was modified by
someting that was residing on the board, not hard drive.

The bios chip was re-programmed, and I am hoping that I can clear the board
completely before the bios is put back in.

Any idear to help understand the memories on mother board is very
appreciated.

dyf
"pjp" <pjpoirier_is_located_at_ DeleteThis @_hotmail_._com> wrote in message
news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
> Why do you feel they're infected, e.g. what's happening after bios
> reprogram?
>
> I off-hand can't think of any means by which any virus would withstand
> chip
> reprogramming. The bios doesn't "go outside itself" in the sense of load
> auxilary software except for add-on bios', e.g. video card's, scsi card,
> nic
> and perhaps some other add-on cards and I assume their bios is locked in
> the
> sense of it's on a non-reprogrammable chip. To my knowledge it's not until
> bios looks for and loads then gives control to OS (presumably) from hard
> disk, floppy, cd etc. that it becomes susceptable (booting over network
> etc.
> as exception).
>
> "dyf" <dyuefeng DeleteThis @gmail.com> wrote in message
> news:397Ig.17580$365.10337@edtnps89...
>> Hi, I am really frustrated by the virus, which has infected 5 computers
> for
>> the past half year.
>>
>> It infected hard drive's MBR and boot sector, apprently it is able to
>> hide
>> itself somewhere on the board and corrupt the bios.
>>
>> For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
>> s1854),
>> it didn't work out.
>> I had the bios chips reprogrammed with a electronic programmer. I put
>> them
>> back on the boards, while no hard drive connected, they corrupted the
>> bios
>> right away.
>>
>> I took out the bios chips and had them reprogrammed again. I reset the
> CMOS
>> and took out the battery, DRAMs for more than 2 days, too.
>>
>> So my questions are:
>> 1) Are there any other memories on the board that I need to clean, such
> as
>> CMOS, completely?
>> 2) If this is not the best place to ask such kind of question, which
>> newsgroup or forum on the net would be a better one?
>>
>> Any idea, any kinds of help is greatly appreciated.
>>
>> Derrick
>>
>>
>
>
 >> Stay informed about: Need help on clearing CMOS and whatever memory on the moth.. 

In article <wabJg.18648$395.2914@edtnps90>, "dyf" <dyuefeng RemoveThis @gmail.com> wrote:

> Thank you very much for your knowlegeable advices.
>
> I believe you are right that the bios was clean after reprogramming, but
> unfortunately I didn't clear the cmos before plugging it in.
>
> What happened was, while it was in the middle of booting process I realized
> the cmos wasn't clean (may inlcude some other memories on the board in
> addition to cmos), therefore I interupted the booting process, turned off
> the system, reset the jumper to clear cmos, started the system again, the
> virus symptom appeared (didn't recognized any hard drive in slave mode and
> other weird things). The bios was taken out to compare with the original
> image on the chip programmer, and was found that the bios was modified by
> someting that was residing on the board, not hard drive.
>
> The bios chip was re-programmed, and I am hoping that I can clear the board
> completely before the bios is put back in.
>
> Any idear to help understand the memories on mother board is very
> appreciated.

As "pjp" says, add-in cards have BIOS also. The BIOS chip on
a video card can be reflashed, and that is a potential spot
for a virus to live. For example, when my computer that contains
a Nvidia FX5200 starts up, there is a BIOS message printed on the
screen, and the message is from code contained in the BIOS chip
on the FX5200 card. And there are people who understand how to
patch video card BIOSes, so it is not a far-fetched possibility
for someone to write a virus that "lives" in a video card. Other
add-in cards are also possible virus vectors, but for a virus
writer, video cards have a high likelyhood of being found in
your average computer, so they make an excellent place to store
a virus. And if the access features and programming methods are
the same, between different models of video cards, the virus
writer probably doesn't have to work too hard to make a virus
that can attack a whole family of video card types.

Perhaps repeat your experiment again. Remove the AGP or PCI
Express video card. Install an old PCI video card (the older
the better). Reprogram the main motherboard BIOS chip. Use
the clear CMOS jumper. Then start up the system and see if the
virus symptoms are still there. If the virus symptoms have
disappeared, then you'll have to be real careful with your
video card. To reflash the video card BIOS, you might need a
different platform - people who flash video cards, use Macintoshes
and PCs, and perhaps reflashing the video card while it is
plugged into an (AGP based) Macintosh, would be one way to fix
it.

In terms of the main motherboard BIOS, be aware that when
you program the BIOS chip, the DMI and ESCD segments are
blanked. The first time the BIOS POSTs, the BIOS computes
new contents for DMI/ESCD, and those areas of the
BIOS image will change. Thus, when you later use a BIOS
tool to make a backup copy of the current contents of the
BIOS chip, there will be an area in the high address end
of the BIOS chip that will have been modified.

To check for a virus, you'd want to do a delta between
the main BIOS code modules, and the Boot Block. On an
Award BIOS, the main BIOS code modules are delimited by
"-lh5-", as each module is LHA compressed. On an AMI
BIOS, they use a different scheme, and the only tool
I can use on those is MMTool to extract and uncompress
the individual modules. A typical BIOS might have 8 to
20 modules for the main BIOS. The Boot Block code, is
intended for recovery from a bad BIOS flash, and that is
yet another area a virus could hide. The Boot Block is
not delimited in the same way as the main BIOS code
modules, and even tools like MMTool generally don't
treat the Boot Block as a module.

So I hope you are not mistaking changes to DMI/ESCD, as
evidence of a virus. The BIOS image is self-modifying,
on the first and subsequent POSTs, depending on changes
to the hardware inventory of the computer.

Paul

>
> dyf
> "pjp" <pjpoirier_is_located_at_ RemoveThis @_hotmail_._com> wrote in message
> news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
> > Why do you feel they're infected, e.g. what's happening after bios
> > reprogram?
> >
> > I off-hand can't think of any means by which any virus would withstand
> > chip
> > reprogramming. The bios doesn't "go outside itself" in the sense of load
> > auxilary software except for add-on bios', e.g. video card's, scsi card,
> > nic
> > and perhaps some other add-on cards and I assume their bios is locked in
> > the
> > sense of it's on a non-reprogrammable chip. To my knowledge it's not until
> > bios looks for and loads then gives control to OS (presumably) from hard
> > disk, floppy, cd etc. that it becomes susceptable (booting over network
> > etc.
> > as exception).
> >
> > "dyf" <dyuefeng RemoveThis @gmail.com> wrote in message
> > news:397Ig.17580$365.10337@edtnps89...
> >> Hi, I am really frustrated by the virus, which has infected 5 computers
> > for
> >> the past half year.
> >>
> >> It infected hard drive's MBR and boot sector, apprently it is able to
> >> hide
> >> itself somewhere on the board and corrupt the bios.
> >>
> >> For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
> >> s1854),
> >> it didn't work out.
> >> I had the bios chips reprogrammed with a electronic programmer. I put
> >> them
> >> back on the boards, while no hard drive connected, they corrupted the
> >> bios
> >> right away.
> >>
> >> I took out the bios chips and had them reprogrammed again. I reset the
> > CMOS
> >> and took out the battery, DRAMs for more than 2 days, too.
> >>
> >> So my questions are:
> >> 1) Are there any other memories on the board that I need to clean, such
> > as
> >> CMOS, completely?
> >> 2) If this is not the best place to ask such kind of question, which
> >> newsgroup or forum on the net would be a better one?
> >>
> >> Any idea, any kinds of help is greatly appreciated.
> >>
> >> Derrick
> >>
> >>
> >
> >
 >> Stay informed about: Need help on clearing CMOS and whatever memory on the moth.. 

Thanks a lot for you help and I will do more experiments and see what happen
next.
I really appreciate it.
dyf
"Paul" <nospam DeleteThis @needed.com> wrote in message
news:nospam-3108062221240001@192.168.1.178...
> In article <wabJg.18648$395.2914@edtnps90>, "dyf" <dyuefeng DeleteThis @gmail.com>
> wrote:
>
>> Thank you very much for your knowlegeable advices.
>>
>> I believe you are right that the bios was clean after reprogramming, but
>> unfortunately I didn't clear the cmos before plugging it in.
>>
>> What happened was, while it was in the middle of booting process I
>> realized
>> the cmos wasn't clean (may inlcude some other memories on the board in
>> addition to cmos), therefore I interupted the booting process, turned off
>> the system, reset the jumper to clear cmos, started the system again, the
>> virus symptom appeared (didn't recognized any hard drive in slave mode
>> and
>> other weird things). The bios was taken out to compare with the original
>> image on the chip programmer, and was found that the bios was modified by
>> someting that was residing on the board, not hard drive.
>>
>> The bios chip was re-programmed, and I am hoping that I can clear the
>> board
>> completely before the bios is put back in.
>>
>> Any idear to help understand the memories on mother board is very
>> appreciated.
>
> As "pjp" says, add-in cards have BIOS also. The BIOS chip on
> a video card can be reflashed, and that is a potential spot
> for a virus to live. For example, when my computer that contains
> a Nvidia FX5200 starts up, there is a BIOS message printed on the
> screen, and the message is from code contained in the BIOS chip
> on the FX5200 card. And there are people who understand how to
> patch video card BIOSes, so it is not a far-fetched possibility
> for someone to write a virus that "lives" in a video card. Other
> add-in cards are also possible virus vectors, but for a virus
> writer, video cards have a high likelyhood of being found in
> your average computer, so they make an excellent place to store
> a virus. And if the access features and programming methods are
> the same, between different models of video cards, the virus
> writer probably doesn't have to work too hard to make a virus
> that can attack a whole family of video card types.
>
> Perhaps repeat your experiment again. Remove the AGP or PCI
> Express video card. Install an old PCI video card (the older
> the better). Reprogram the main motherboard BIOS chip. Use
> the clear CMOS jumper. Then start up the system and see if the
> virus symptoms are still there. If the virus symptoms have
> disappeared, then you'll have to be real careful with your
> video card. To reflash the video card BIOS, you might need a
> different platform - people who flash video cards, use Macintoshes
> and PCs, and perhaps reflashing the video card while it is
> plugged into an (AGP based) Macintosh, would be one way to fix
> it.
>
> In terms of the main motherboard BIOS, be aware that when
> you program the BIOS chip, the DMI and ESCD segments are
> blanked. The first time the BIOS POSTs, the BIOS computes
> new contents for DMI/ESCD, and those areas of the
> BIOS image will change. Thus, when you later use a BIOS
> tool to make a backup copy of the current contents of the
> BIOS chip, there will be an area in the high address end
> of the BIOS chip that will have been modified.
>
> To check for a virus, you'd want to do a delta between
> the main BIOS code modules, and the Boot Block. On an
> Award BIOS, the main BIOS code modules are delimited by
> "-lh5-", as each module is LHA compressed. On an AMI
> BIOS, they use a different scheme, and the only tool
> I can use on those is MMTool to extract and uncompress
> the individual modules. A typical BIOS might have 8 to
> 20 modules for the main BIOS. The Boot Block code, is
> intended for recovery from a bad BIOS flash, and that is
> yet another area a virus could hide. The Boot Block is
> not delimited in the same way as the main BIOS code
> modules, and even tools like MMTool generally don't
> treat the Boot Block as a module.
>
> So I hope you are not mistaking changes to DMI/ESCD, as
> evidence of a virus. The BIOS image is self-modifying,
> on the first and subsequent POSTs, depending on changes
> to the hardware inventory of the computer.
>
> Paul
>
>>
>> dyf
>> "pjp" <pjpoirier_is_located_at_ DeleteThis @_hotmail_._com> wrote in message
>> news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
>> > Why do you feel they're infected, e.g. what's happening after bios
>> > reprogram?
>> >
>> > I off-hand can't think of any means by which any virus would withstand
>> > chip
>> > reprogramming. The bios doesn't "go outside itself" in the sense of
>> > load
>> > auxilary software except for add-on bios', e.g. video card's, scsi
>> > card,
>> > nic
>> > and perhaps some other add-on cards and I assume their bios is locked
>> > in
>> > the
>> > sense of it's on a non-reprogrammable chip. To my knowledge it's not
>> > until
>> > bios looks for and loads then gives control to OS (presumably) from
>> > hard
>> > disk, floppy, cd etc. that it becomes susceptable (booting over network
>> > etc.
>> > as exception).
>> >
>> > "dyf" <dyuefeng DeleteThis @gmail.com> wrote in message
>> > news:397Ig.17580$365.10337@edtnps89...
>> >> Hi, I am really frustrated by the virus, which has infected 5
>> >> computers
>> > for
>> >> the past half year.
>> >>
>> >> It infected hard drive's MBR and boot sector, apprently it is able to
>> >> hide
>> >> itself somewhere on the board and corrupt the bios.
>> >>
>> >> For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
>> >> s1854),
>> >> it didn't work out.
>> >> I had the bios chips reprogrammed with a electronic programmer. I put
>> >> them
>> >> back on the boards, while no hard drive connected, they corrupted the
>> >> bios
>> >> right away.
>> >>
>> >> I took out the bios chips and had them reprogrammed again. I reset the
>> > CMOS
>> >> and took out the battery, DRAMs for more than 2 days, too.
>> >>
>> >> So my questions are:
>> >> 1) Are there any other memories on the board that I need to clean,
>> >> such
>> > as
>> >> CMOS, completely?
>> >> 2) If this is not the best place to ask such kind of question, which
>> >> newsgroup or forum on the net would be a better one?
>> >>
>> >> Any idea, any kinds of help is greatly appreciated.
>> >>
>> >> Derrick
>> >>
>> >>
>> >
>> >
 >> Stay informed about: Need help on clearing CMOS and whatever memory on the moth..