"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9F79E70342F2FHHI2948AJD832@no...
> "FromTheRafters" <erratic.howard@gmail.com> wrote in
> news:j6td40$86m$1@dont-email.me:
>
>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>
> They're about the same. The same technology. However, atleast with
> lojack they have bios vendor support and cooperation so aren't reduced
> to including 3rd party utility to flash one style of BIOS only.

I was looking at it more from a computer science angle. If the persistence
module contains the modified MBR code (and overwrites the MBR if it is
found to be unmodfied), and the MBR supports the agent, and the agent
(perhaps through a network resource) can detect that the BIOS has been
unmodified (flashed without the LoJack code) and it can reflash the BIOS,
it appears to me that it qualifies as a virus.

The computer science virus definition makes no restriction on how the
process plays out, only the result is important. Mebromi doesn't have
that two-way guardian aspect - it only flashes the BIOS during the
installation and it is thereafter un-guarded. So Lojack comes closer,
and in fact may even qualify as a virus.

> Membromi is a compilation of tools and a bit of coding, but generally
> trojan.. asshat level work.
>
>> I think that soon there will be a virus that infects the BIOS and
>> have always thought so, but it may not behave like your typical
>> malware virus.
>
> I would be inclined to agree. However, the viral code must replicate.
> Persistance alone doesn't qualify.

Right, but do you see where I'm coming from where viral code is the
means for the implementation of the persistence? Two "programs"
(BIOS routine, MBR/code in partiton gaps/agent/network) that
are basically looking for infection markers and re-infecting if found
missing. The only thing missing is the obvious spreading (lack of
sneakernet vector for BIOS and harddrives) which isn't really a
requirement for a virus in the comp-sci arena - it is only required
that it doesn't overwrite its parent.

>> Those security specialists should explain to me how Mebromi
>> qualifies as a virus. While it is a PE file infector, I don't see
>> any recursive replication
>> going on overall. Before any discussion with them, I'd have to
>> ascertain whether or not they subscribe to the "all worms are
>> viruses" idea - and *then* ask them to explain how Mebromi even
>> qualifies as a worm once that idea is despensed with.
>
> It's not a file infector.

It's not a file infecting virus, but it does infect PE files according to the
write-up. The infection is not aimed at replication, but is only a means
of attaching to the startup axis without using the registry I think.

> The modified files will not "spread" code to
> other files. It's modifying two PE files to ensure it gets an
> opportunity to startup another module included with it.

Yes, so I take it you refuse to adopt the idea that "infection" can be used
to mean that particular type of file modification even if it is not viral?

That's okay, as long as I remember your take on it.

BTW, I found this about droppers, it appears that I have used older
terminology than you have on this one.

"A Dropper is a standalone program that drops a virus to a system.
Usually a dropper for a file virus is a very small program (a few bytes)
infected by a virus.

A dropper for a boot virus is usually a program that writes the image
of a boot sector virus stored inside it to a hard or floppy drive.

Virus droppers are no longer widespread as malware with the same
capabilities integrated are becoming more common. Malicious
programs with dropper-like capabilities are now identified as
Trojan-Droppers.."

http://www.f-secure.com/v-descs/other_w32_dropper.shtml

and this
"A DROPPER is a program that has been designed or modified to "install" a
virus onto the target system. The virus code is usually contained in a
dropper in such a way that it won't be detected by virus scanners that
normally detect that virus (i.e., the dropper program is not *infected*
with the virus). While quite uncommon, a few droppers have been
discovered. A dropper is effectively a Trojan Horse (see B3) whose
payload is installing a virus infection. A dropper which installs a
virus only in memory (without infecting anything on the disk) is
sometimes called an "injector"."

http://stason.org/TULARC/security/co...ter-virus.html

They seem to agree with my view that a zeroth iteration virus is actually a
dropper.

Unfortunately, these two are opposed on the idea that a virally "infected" file
is a dropper.

[...]