There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them is the notorious CIH appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR.
The threat will drop a driver to %system%\drivers\bios.sys, then stop the beep service and replace %system%\beep.sys with the dropped one. After that it restarts beep service to load the dropped driver.
bios.sys is used to interact with BIOS such as get BIOS info, flash and backup BIOS.
By using bios.sys, the threat will check whether the compromised computer is using Award BIOS. If so, it will save existing BIOS to c:\bios.bin and check whether it is already infected:
The existence of string “hook.rom” in the file c:\bios.bin suggests the BIOS has already been infected. Otherwise, the threat will drop tool chrom.exe and a malicious ISA component named hook.com to do infection by using the following command:
chrom bios.bin /isa hook.com
This will add hook.com to bios.bin as an ISA module, and then the threat will flash bios.bin to the BIOS.
The infected BIOS will call module hook.rom automatically when the computer powers on. hook.com will check whether the MBR is infected and will infect it when needed (we detect the infected MBR as “Boot.Mebromi”).
After that, hook.com will write malicious component to sectors close to MBR and save the original MBR to sector 8. The component will be loaded by the infected MBR to infect winlogon.exe or winnt.exe.
If the BIOS is not Award BIOS or the threat fails to get BIOS information. The threat will only infect the MBR.
If winlogon.exe or winnt.exe is successfully infected at the start up time, it will print out string “Find it OK!”.
The infected winlogon.exe (xp/2003) or winnt.exe(win2000) will download file from hxxp://dh.3515.info:806/test/91/calc.exe to c:\calc.exe (when we got the sample, the link has been invalid) and execute. The infected file will also load c:\my.sys dropped by the threat to prevent the infected MBR from being modified. my.sys will hook the disk.sys to prevent the infected MBR from being restored by security software.
Flow chart:
Symantec has released the definition against Trojan.Mebromi and Boot.Mebromi. Users are advised to update their security software as soon as possible to protect the computers.
Special thanks to Li Yi and Yuan Liang for the analysis.