Ping FTR: Mebromi BIOS Virus Out in the Wild

[~BD~]

You've advised that this in impossible!

Your comments requested on this item:-

**

Security specialists have recently discovered a virus that makes its way
into the BIOS, making it very hard to get rid of using current
commercial anti-virus solutions.

The virus called Mebromi seems to be focused towards Chinese users,
especially AMI BIOS owners, but this doesn't mean that the rest of the
world is safe, as this could represent a gate opener for hackers who
want to make sure our computers remain under their control.


A full description of the way Mebromi functions was posted on the
Webroot Threat Blog, giving us an insight on how this malicious element
makes its way to the very core of a computer.

The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
injector and a Trojan downloader are the elements encapsulated in this
potentially destructive malware, which at the moment is unable to cause
any damage to machines running 64-bit operating systems if the user
privileges are limited.

The whole thing starts with a few files that try to access the kernel
to load the virus's own kernel driver that will later generate the
serious part of the infection.

After it successfully infects the BIOS using a file called Cbrom.exe,
which is a legitimate tool developed by Phoenix Technologies designed to
modify the Award/Phoenix system's ROM binaries, it moves to infecting
the master boot record of the device.

The winlogon.exe or wininit.exe files are also corrupted and injected
with codes that will generate the download of additional infections.

http://news.softpedia.com/news/Mebro...d-221702.shtml

[Peter Foldes]

Attention: Crossposted post

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> You've advised that this in impossible!
>
> Your comments requested on this item:-
>
> **
>
> Security specialists have recently discovered a virus that makes its way into the BIOS,
> making it very hard to get rid of using current commercial anti-virus solutions.
>
> The virus called Mebromi seems to be focused towards Chinese users, especially AMI BIOS
> owners, but this doesn't mean that the rest of the world is safe, as this could
> represent a gate opener for hackers who want to make sure our computers remain under
> their control.
>
>
> A full description of the way Mebromi functions was posted on the Webroot Threat Blog,
> giving us an insight on how this malicious element makes its way to the very core of a
> computer.
>
> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file injector and a Trojan
> downloader are the elements encapsulated in this potentially destructive malware, which
> at the moment is unable to cause any damage to machines running 64-bit operating systems
> if the user privileges are limited.
>
> The whole thing starts with a few files that try to access the kernel to load the
> virus's own kernel driver that will later generate the serious part of the infection.
>
> After it successfully infects the BIOS using a file called Cbrom.exe, which is a
> legitimate tool developed by Phoenix Technologies designed to modify the Award/Phoenix
> system's ROM binaries, it moves to infecting the master boot record of the device.
>
> The winlogon.exe or wininit.exe files are also corrupted and injected with codes that
> will generate the download of additional infections.
>
> http://news.softpedia.com/news/Mebro...d-221702.shtml

It is a trojan, not a virus and we already established the fact it is in the wild and was
found in China.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> You've advised that this in impossible!
>>
>> Your comments requested on this item:-
>>
>> **
>>
>> Security specialists have recently discovered a virus that makes its way into the BIOS,
>> making it very hard to get rid of using current commercial anti-virus solutions.
>>
>> The virus called Mebromi seems to be focused towards Chinese users, especially AMI BIOS
>> owners, but this doesn't mean that the rest of the world is safe, as this could
>> represent a gate opener for hackers who want to make sure our computers remain under
>> their control.
>>
>>
>> A full description of the way Mebromi functions was posted on the Webroot Threat Blog,
>> giving us an insight on how this malicious element makes its way to the very core of a
>> computer.
>>
>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file injector and a Trojan
>> downloader are the elements encapsulated in this potentially destructive malware, which
>> at the moment is unable to cause any damage to machines running 64-bit operating systems
>> if the user privileges are limited.
>>
>> The whole thing starts with a few files that try to access the kernel to load the
>> virus's own kernel driver that will later generate the serious part of the infection.
>>
>> After it successfully infects the BIOS using a file called Cbrom.exe, which is a
>> legitimate tool developed by Phoenix Technologies designed to modify the Award/Phoenix
>> system's ROM binaries, it moves to infecting the master boot record of the device.
>>
>> The winlogon.exe or wininit.exe files are also corrupted and injected with codes that
>> will generate the download of additional infections.
>>
>> http://news.softpedia.com/news/Mebro...d-221702.shtml
>
> It is a trojan, not a virus and we already established the fact it is in the wild and was
> found in China.


Have you actually *read* the Webroot article, David?

http://blog.webroot.com/2011/09/13/m...t-in-the-wild/

Btw .......

There was a time when you, DHL, used to publish quite a long list of
URL's - places for folk to visit to get detailed help with interpreting
their HJT logs.

For a long time, you never included www.aumha.net - yet after I
questioned you about same you did, eventually, include Aumha in that list.

This is the relevant URL for Malware removal:-

http://www.aumha.net/viewforum.php?f...t&sd=d&start=0

Do you still publish that list? (If so, where, please?)

Do you still include Aumha in such a listing?

Do you consider Aumha a 'safe' place to visit and the advice given there
to be 'sound'?

[Aardvark]

On Sun, 09 Oct 2011 18:57:21 +0100, ~BD~ wrote:

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> You've advised that this in impossible!
>>>
>>> Your comments requested on this item:-
>>>
>>> **
>>>
>>> Security specialists have recently discovered a virus that makes its
>>> way into the BIOS, making it very hard to get rid of using current
>>> commercial anti-virus solutions.
>>>
>>> The virus called Mebromi seems to be focused towards Chinese users,
>>> especially AMI BIOS owners, but this doesn't mean that the rest of the
>>> world is safe, as this could represent a gate opener for hackers who
>>> want to make sure our computers remain under their control.
>>>
>>>
>>> A full description of the way Mebromi functions was posted on the
>>> Webroot Threat Blog,
>>> giving us an insight on how this malicious element makes its way to
>>> the very core of a computer.
>>>
>>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
>>> injector and a Trojan downloader are the elements encapsulated in this
>>> potentially destructive malware, which at the moment is unable to
>>> cause any damage to machines running 64-bit operating systems if the
>>> user privileges are limited.
>>>
>>> The whole thing starts with a few files that try to access the kernel
>>> to load the virus's own kernel driver that will later generate the
>>> serious part of the infection.
>>>
>>> After it successfully infects the BIOS using a file called Cbrom.exe,
>>> which is a legitimate tool developed by Phoenix Technologies designed
>>> to modify the Award/Phoenix system's ROM binaries, it moves to
>>> infecting the master boot record of the device.
>>>
>>> The winlogon.exe or wininit.exe files are also corrupted and injected
>>> with codes that will generate the download of additional infections.
>>>
>>> http://news.softpedia.com/news/Mebro...us-Out-in-the-
Wild-221702.shtml
>>
>> It is a trojan, not a virus and we already established the fact it is
>> in the wild and was found in China.
>
>
> Have you actually *read* the Webroot article, David?
>
> http://blog.webroot.com/2011/09/13/m...os-rootkit-in-
the-wild/
>
> Btw .......
>
> There was a time when you, DHL, used to publish quite a long list of
> URL's - places for folk to visit to get detailed help with interpreting
> their HJT logs.
>
> For a long time, you never included www.aumha.net - yet after I
> questioned you about same you did, eventually, include Aumha in that
> list.
>
> This is the relevant URL for Malware removal:-
>
> http://www.aumha.net/viewforum.php?f...t&sd=d&start=0
>
> Do you still publish that list? (If so, where, please?)
>
> Do you still include Aumha in such a listing?
>
> Do you consider Aumha a 'safe' place to visit and the advice given there
> to be 'sound'?

UNNECESSARY CROSSPOSTING REMOVED

HTH



--
America is the only country that went from barbarism to decadence without
civilization in between. - Oscar Wilde

[Peter Foldes]

Needless crossposting removed AGAIN

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in
news:j6sna1$mi5$1@dont-email.me:

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> You've advised that this in impossible!
>>>
>>> Your comments requested on this item:-
>>>
>>> **
>>>
>>> Security specialists have recently discovered a virus that makes
>>> its way into the BIOS, making it very hard to get rid of using
>>> current commercial anti-virus solutions.
>>>
>>> The virus called Mebromi seems to be focused towards Chinese
>>> users, especially AMI BIOS owners, but this doesn't mean that the
>>> rest of the world is safe, as this could represent a gate opener
>>> for hackers who want to make sure our computers remain under their
>>> control.
>>>
>>>
>>> A full description of the way Mebromi functions was posted on
>>> the Webroot Threat Blog,
>>> giving us an insight on how this malicious element makes its way
>>> to the very core of a computer.
>>>
>>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
>>> injector and a Trojan downloader are the elements encapsulated in
>>> this potentially destructive malware, which at the moment is
>>> unable to cause any damage to machines running 64-bit operating
>>> systems if the user privileges are limited.
>>>
>>> The whole thing starts with a few files that try to access the
>>> kernel to load the virus's own kernel driver that will later
>>> generate the serious part of the infection.
>>>
>>> After it successfully infects the BIOS using a file called
>>> Cbrom.exe, which is a legitimate tool developed by Phoenix
>>> Technologies designed to modify the Award/Phoenix system's ROM
>>> binaries, it moves to infecting the master boot record of the
>>> device.
>>>
>>> The winlogon.exe or wininit.exe files are also corrupted and
>>> injected with codes that will generate the download of additional
>>> infections.
>>>
>>> http://news.softpedia.com/news/Mebro...-in-the-Wild-2
>>> 21702.shtml
>>
>> It is a trojan, not a virus and we already established the fact it
>> is in the wild and was found in China.
>
>
> Have you actually *read* the Webroot article, David?

Yes. I have as well. I stand by what David Said.

The question is, have you read AND understood the article? It's a
rhetorical question. We all you know didn't.

> For a long time, you never included www.aumha.net - yet after I
> questioned you about same you did, eventually, include Aumha in that
> list.

So?

> Do you still include Aumha in such a listing?

Why would that mattter?

> Do you consider Aumha a 'safe' place to visit and the advice given
> there to be 'sound'?

Is there a point to this?




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[~BD~]

Dustin wrote:

> Yes. I have as well. I stand by what David Said.

He didn't say very much!

> The question is, have you read AND understood the article? It's a
> rhetorical question. We all you know didn't.

<shrug>

>> For a long time, you never included www.aumha.net - yet after I
>> questioned you about same you did, eventually, include Aumha in that
>> list.
>
> So?
>
>> Do you still include Aumha in such a listing?
>
> Why would that mattter?

I'd simply like to see the list again.

>> Do you consider Aumha a 'safe' place to visit and the advice given
>> there to be 'sound'?
>
> Is there a point to this?

Of course!

What if folk there *installed* malware instead of getting rid of it?

Who would know?

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j6tagb$q3n$1@dont-email.me:

> Dustin wrote:
>
>> Yes. I have as well. I stand by what David Said.
>
> He didn't say very much!

He's told you the same things I have repeatedly. You don't understand,
but rather than say that, you act as if you did, so we continue. It
doesn't do anyone any good as you don't have a clue what was discussed
two pages ago, let alone what we're discussing on page 3.

>> The question is, have you read AND understood the article? It's a
>> rhetorical question. We all you know didn't.
>
> <shrug>

So thats a No, I didn't get it eh?

> I'd simply like to see the list again.

What's stopping you from googling?

> Of course!

And it would be?

> What if folk there *installed* malware instead of getting rid of it?

David...

If you have proof of this, proceed. If not, you are leaving yourself
open to various libel lawsuits; even in your country.

> Who would know?

That's the thing. You can't just make statements like that. As you
continue inferring rotten things, I'm getting the impression the only
real way to teach you different is to provide the necessary funds to
sue you in your country and take you for everything you have, for
slander and libel. These usenet posts will provide more than enough
evidence to meet US laws. I'm not sure about yours, but I'm willing to
pony up the dough for someone in your country to sue you at this point.




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j6tagb$q3n$1@dont-email.me:

> What if folk there *installed* malware instead of getting rid of it?
>
> Who would know?

If you will follow G. Morgan's posted instructions, I will provide a full
analysis of the malware sample. You will have solid evidence which would
hold up in a court room, and my sincere apologies for having doubted you
on this.

I will await that email from G. Morgan.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.