I got an e-mail from Iris stating that she had a virus she couldn’t get rid of. Even wiping the harddisk clean and reinstalling Windows XP again won’t get it of the machine!

I’ve heard from the various techniques that virusses are using today to hide itself (In memory, or in the Master Boot Record of the harddisk) so that it would survive a clean install. But then she told me that wiping the disk and flashing the bios got rid of it. I know that a virus could write to the flash part of the bios (Many virusses try this to actually destroy the BIOS) and that perhaps it could even hide there. But how would it ever get executed again than?

So I dropped a quick e-mail to Mark Russinovich and he replied that by using the interaction with the ACPI part of the BIOS a virus would become active even at setup! It was discussed at the latest Black Hat conference:
https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf (Showing how both Windows as Linux would be infected)

My colleague Bruce Cowper (CA) pointed me to this website that has code which can be used.

So it all seems a matter of time that we also need to flash the BIOS before we can get rid of a virus… Yuk.

Thanks,