Helping people with computers... one answer at a time.

It is possible for a virus to be written that hides itself in certain BIOS's. The good news is that a BIOS virus is extremely rare.

Is there a virus that cannot be destroyed by re-formatting the hard drive it has infected? For example, it might have infected the BIOS on the system board.

Possible? Sure. I know there have been "proof of concept" demonstrations, and I'm certain it's happened in the wild as well.

Is it likely?

I don't believe so. Further, I believe that when faced with a virus infection you're probably wasting your time worrying about the BIOS.

I'll explain why.

(Background: What's a BIOS?)

The reason that Microsoft Windows has more viruses that any other operating system isn't so much about its vulnerabilities as it is about it's success. People will argue which is more of a contributing factor, but there's no denying that the fact that Windows runs on a gazillion machines is a huge factor.

"Now, while Windows is relatively standard across PCs, BIOS's are not."

By writing a single virus that targets Microsoft Windows, a virus writer can potentially infect more computers on the planet than by writing it to target any other system. It's no secret that virus and malware writers regularly target the greatest potential audience so as to get the greatest number of infections for their malicious intent.

Now, while Windows is relatively standard across PCs, BIOS's are not.

The BIOS used in a PC built by one manufacturer may be radically different than that from another company. A virus that attempts to target a BIOS vulnerability or to somehow "hide" within a BIOS has to, essentially, be rewritten for or at least be customized and aware of every different BIOS that it might want target.

It's easier to simply rely on user apathy and target unpatched vulnerabilities in Windows. One virus per vulnerability, and all unpatched machines become malware's playground.

That's potentially a lot. A gazillion, even. Smile

So just like Mac or Linux malware, there may be a few BIOS targeting viruses out there, but they're not even close to being as common as the more standard Windows-based malware.

Now, that's not to say that there's zero risk.

As you point out, a virus that manages to embed itself into the BIOS or BIOS's flash memory has one extremely unique characteristic: it'll survive even if you completely reformat and erase everything on your hard disk.

However, even that is easily remedied, either by resetting your BIOS to it's factory image - which most modern motherboards support - or often simply by updating or re-flashing your BIOS.

My take: it's not something I'd worry about at all just yet. In a rare case where malware appears to have survived a reformatting ... well, I'd first look at all the other ways that a machine can get immediately reinfected as you rebuild it from scratch (lack of firewall, infected external hard drives and the like). Only after eliminating those might I think about checking or resetting the BIOS.

It's just not that common a problem right now.

Article C4276 - April 23, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

16 Comments
Me
April 27, 2010 10:53 AM

AFAIK, the only way to even get a virus on the BIOS is to be careless while flashing it. I might be wrong, so correct me if otherwise.

I believe that, as I said, there are proof of concept instances of software which, essentially, initiates a malicious flash to insert itself into the BIOS. And again, since that is BIOS-specific it's not something I worry about at all.
Leo
28-Apr-2010

Stuart Moses
April 27, 2010 6:24 PM

It's already happened! Remember the Chernobyl virus? http://en.wikipedia.org/wiki/CIH_(computer_virus)

If you read that article you'll see that Chernobyl did not place itself in the BIOS. On some limited number of machines it only corrupted the BIOS making the machine ubootable.
Leo
28-Apr-2010

Garry
April 28, 2010 12:01 AM

If it's a case of re-infection even after reformatting the hard drive, it could be that there is a 'stub' of the virus in the boot sector of the hard drive. Whilst there are several ways to eliminate this stub, one of the easiest I've used is to convert it to FAT 32, then back to NTFS. This re-writes the boot sector.

Fred
April 28, 2010 8:35 AM

I have been doing PC support for nearly 25 years.
I have recently run into a rash of PC's that have lost their video abilities. Those being on the motherboard themselves. Everything else on the PC works fine. Adding a video card does not work. These PC's also do not have BIOS jumpers to reset. They became totally useless since without video you cannot even flash the BIOS. Myself and other technicians I know could find any explanation for this. Most of the people who lost their video reported having a virus warning right before they lost their video. This is not proof of a BIOS virus but we are very suspectful that this is the case.

Bill P. Godfrey
April 29, 2010 6:50 AM

How come BIOSes need to be upgradable anyway?

Shirley its job is just to load the OS from the HDD or CD and pass contol to it. That's a very simple job.

Anything else the BIOS might have done in the past would be better supported by kernel modules in the loaded OS.

With that in mind, wouldn't the best thing be to write protect the BIOS flash and forget about it?

Matthew
June 25, 2010 7:28 AM

To Fred (April 28, 2010 post), the virus warning they saw right before they lost video, was Not likely their anti-virus program. There is a virus out there right now that is a popup of a virus warning and to the user it will appear as if it is their anti-virus program telling the of it and to "click here" to get rid of it. Even if they only try to X out of it, the virus immediatly comes in and starts to run it's malware. I've seen it a few times on my job as the office computer administrator. The computer is shot, the video was just the start. It may be in the bios, but it's more likely in the hard drive and is burned in it. Solution - replace computer.

Roger
July 12, 2010 10:59 AM

To Fred,

Trying booting into safe mode or VGA mode by pressing F8 on most sytems.

al
August 20, 2010 9:44 AM

http://www.bit-tech.net/news/bits/2009/03/24/researchers-create-bios-malware/1

http://www.phrack.org/issues.html?issue=66&id=7

This does not look good.

Those articles basically confirm what my article says: possible, for specific BIOS's, proof of concept exists, but it remains extremely rare.
Leo
26-Aug-2010

oldhippy2
March 14, 2011 7:27 PM

I turned off my puter and the next morning there was no video. I never received a virus warning, but a teck friend checked it out and said I had a video virus. I went into safe mode and set it to vga mode and still have the same problem. Everything works including the audio. Could there be another problem. I reset the bios and still have the same prob. Any other sugesstions?

Bill
March 29, 2011 1:26 PM

I have an HP XW4400 workstation that will ONLY boot to the hard drive. F10 will not take you into setup. None of the F-keys will work. I don't even get the buffer overflow beep when holding an f-key down unless I cleared the CMOS (2006 computer) first. I disconnected both the only hard drive and the CD-ROM and even then I don't get any kind of error. Not even a no boot device found or hit F1 for setup message. I've swapped keyboards also. This sounds a lot like a bios virus, since it WILL boot to the hard drive.

Any thoughts?

This sounds like something else completely to me: Why doesn't my keyboard work until Windows is running?
Leo
30-Mar-2011

Venushakti
June 4, 2011 8:59 AM

So if a virus complex (there are many components to the infections I have - mail worm, BHO worms, IM-propagating spear-phishing virus, rootkits, and possibly many more -- which includes Alureon at the very least) has taken over all of my systems, infected my routers, and is spoofing googleapis.com to my system... if the BIOS passwords always get erased as soon as I (or any tech I've hired) sets one (and all of my BIOS settings get put back to the hacker's idea of what the default settings should be for quickboot, virtualization support, audio, video, AHCI, XD bit, etc) as soon as the BIOS password disappears again after one or two restarts of any given system...

And then the BIOS passwords start sticking around just fine, but the settings get set back to the weird "defaults" again anyway... whether or not there is a hard drive connected in any way in the box...

Do you still think that it's basically impossible for someone to have a BIOS virus, or is it possible it could have somehow infected the memory or the video built into the motherboard?

A security expert who does some "white hat" hacking (non-aggressive only) has examined several logs he's had me create using SysInternals tools from Technet.Microsoft.com and several spyware-logging tools, and asked me questions about how and when the BIOS changes settings and passwords, and has said that he thinks it likely that I have a rare BIOS virus -- from when I unknowingly was having a different malware "professional" help me with my computers, until I found out that he was in trouble with law enforcement and stopped having anything to do with him.

But my security pro friend says I can't just flash out a BIOS virus, that I will need to actually physically pop out and replace the BIOS chip -- that I can't even just mod it out of the BIOS using the SPI interface on the motherboard. Replacing the BIOS chip for each of my computers, in addition to flashing each of my routers, getting rid of every peripheral that has flashable firmware, and "nuking" all data off every hard drive I own will probably mean an additional month of waiting before I can boot any sort of digital device with a processor in the house... after already having been basically digitally disabled since the CPUs started frying themselves by overheating last October when they were being overclocked too high for too long by this collection of crud.

What do *you* think? Can we get rid of it without replacing the BIOS chip, if indeed it is a BIOS virus, as you said would easily cure that sort of problem (in another of your articles about BIOS viruses)? If so, how do I keep it from coming back? My security friend will be helping me remotely, as he's out of state. So I'm trying to find an option that won't require me taking such a high risk of destroying the entire motherboard through little mistakes. Sure, flashing a BIOS is dangerous also, but in my mind not as risky as a newbie trying to pop out and replace a microchip physically.

Unfortunately, I'm very restricted in finances after all this, and can no longer afford to hire someone to do it for me... if I can afford to replace them at all. The library doesn't provide a very long time limit, and I need to get a clean computer and router working at home so I can finish my degree, my portfolio, and find a job.

Any suggestions on where to learn more about BIOS viruses or whatever you think might be happening in my case?

Easton
September 7, 2011 4:42 PM

I know a lot about computers as well, but I have never seen a BIOS virus. (I know it is the BIOS.) It's probably a 5-8 year old Dell computer, and so when I turn it on it goes *beep* *beep* *beep* *beep* (A beeping noise.) and then shows several smiley faces. After it shows the smiley faces it shuts down.
I was installing random access memory to make the ridiculously slow computer slightly faster because, it has only 256 mega bytes of RAM. First, I installed one stick of RAM and it worked. Next, I installed another stick of RAM. Finally, I turned it on and the BIOS error occurred. I think (even though it probably isn't possible) that the RAM had some kind of virus. This might be vital information: I got the RAM out of a old computer.

It is not possible to get a virus from a RAM stick. BIOS's use beep codes when they detect that the system isn't operable in some fundamental way. My guess is that RAM stick isn't compatible with your system.
Leo
08-Sep-2011

Computer Repairs Melbourne
November 24, 2011 1:46 AM

When the BIOS finds something wrong with your computer, it flashes an error message on the screen or makes your computer emit a series of beeps. These beeps are actually diagnostic messages.

Computer Repairs Melbourne

fuzzy boner
January 8, 2012 5:18 PM

I think you left one thing out. Bios chips in Tablets. These all run on the same hardware. This would make it more vulnerable to the bad guys. This WILL be a problem if it is not already. Best advice is stay on a desktop that you built and avoid accessing personal information on the web with those nifty new tablets, Androids, and iPhones.

Linda
February 21, 2012 7:31 PM

I have 2 laptops because I go to school online and need a backup just in case... I have a 2 and a half yr. old Dell studio 1535 laptop and a brand new Acer 17.3 in. widescreen laptop, but my dell is not able to start for the last two days. Both days I had to wait for the computer to repair itself, and after it did my Charter anti-virus popped up and said virus cleaned .There were 4 instances of some ibryte virus on my computer. Today it did the same thing, but this time I did system restore myself to get rid of this. I think these viruses are getting in through windows updates. I tried to click on the little icon in the taskbar and it hid itself until I was shutting the thing down. Is it possible for viruses to come in disguised as windows updates?

mike
April 25, 2012 5:40 PM

Well I got an EFI virus on my macbook pro. Mac's efi is somewhat similar to bios in pc. EFI is just a file. I highly suggest people to password protect their bios and make sure it disable bios update if there's settings in the bios.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.