FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.org> wrote in message
> news:j6u832$in8$1@dont-email.me...
>> FromTheRafters wrote:
>>> "~BD~"<~BD~@nomail.afraid.org> wrote in message
>>> news:j6sfd0$26j$1@dont-email.me...
>>>> You've advised that this in impossible!
>>>
>>> No I haven't. I believe I told you that there was not yet enough room in the
>>> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you
>>> to
>>> several papers on PCI rootkits and such.
>>
>>
>> Forgive me if I misunderstood. I have always valued your help and advice.
>>
>>
>>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>>
>>> I think that soon there will be a virus that infects the BIOS and have always
>>> thought so, but it may not behave like your typical malware virus.
>>
>>
>> Such a virus could render a computer more or less useless?
>
> It could be benign as well.
>
>> Would a cost-effective repair be possible do you think?
>
> Of course, what can be done in software can be undone in software. This
> is less about the virus aspect and more about persistence and stealth.
>
> Once you know it is there, removing it is a breeze.


Ah! Right on the nail! :-)


> [...]
>
>>> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
>>> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
>>> rootkit that hides an additional downloader's actions. It infects two
>>> specific
>>> system PE files as a startup method for said stealth downloader.
>>
>> I know you like to be 'correct' in the use of terms, FTR (and rightly so) -
>> but the *effect* is what *really* matters IMO!
>
> And that *effect* depends entirely on what it *is* rather than what
> people think it is.
>
> [...]

OK - I'll not argue that point.

>>> Do you have any specific on topic questions for the spyware group?
>>
>> Yes. How would anyone know that they had been infected in this manner if their
>> anti-malware programmes didn't flag same?
>
> They wouldn't.

*Exactly*!

> But these things don't exist in a vacuum. The chances are great that such
> an infection would be used to persistently hide the activities of some
> associated malware. That associated malware may well be detected
> from outside the stealthed environment. Usually, there will be network
> activity associated with the malware for instance.

Still not easy to detect, especially if one isn't looking for same!

Thanks for your answers, FTR. :-)