BIOS Meningitis | |
---|---|
Type | Boot sector virus |
Creator | Qark |
Date Discovered | 1994.07 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
Infection Length |
BIOS Meningitis is a floppy boot-sector, hard drive MBR and Flash BIOS stealth infecter. This virus seems to be the first Flash BIOS infecter but according to the source code this feature was never tested. It was coded by Qark of VLAD and appeared in Issue 2 of VLAD magazine in November 1994
Behavior
When loading from an infected floppy or hard disk the virus goes memory resident - allocating 1k of memory by by decreasing the 16-bit WORD at 40h:13h (BIOS Data Area, size of conventional memory in kilobytes) and hooking INT 13h (BIOS Disk Services) directly in the IVT (interrupt vector table).
The INT 13h handler carries out both infection and stealth routines. If an attempt is made to read sector 1, cylinder 0, head 0 (the first physical sector - MBR or boot sector) action is taken. If the disk is uninfected the disk is infected, if the disk is already infected stealth takes place. The stealth algorithm simply reads in the original sector instead of the infected one, making the disk appear 'clean' when the virus is ready in memory.
When infecting the hard drive, the original MBR sector is stored in physical sector 2 which is normally unused in an MS-DOS installation. In the case of floppy disks, sector 14, cylinder 0, head 1 is used - this is the last directory of the root directory on 5.25 inch 1.2mb floppies, but will cause corruption on any other type of floppy disk. The virus overwrites the partition table of the infected MBR meaning that booting from an uninfected floppy or running a 'FDISK /mbr' will leave the hard drive inaccessible.
When infecting the Flash BIOS, BIOS Meningitis uses various INT 16h AH=E0h (BIOS Flash routines) calls to manipulate the Flash memory. The virus first searches the ROM BIOS from segments 0F000h to 0FFF0h for a 1kb cave of 0 bytes. If such cave is found the virus copies itself to this space, and patches first 5 bytes of the original INT 19h (BIOS Boot Strap Loader) handler with a JMP FAR (EAh ssss:oooo) pointing to its own INT 19h routine. The viruses INT 19h copies the virus to 0000:7C00h (standard boot sector load address), emulates an infected MBR execution and then does the job of a standard INT 19h handler - boot from floppy or hard drive. The INT 19h handler of BIOS Meningitis is very minimal and may not behave in the same manner as the original BIOS INT 19h handler. The virus may also overwrite the chipset when infecting the Flash BIOS leading to unpredictable results.
BIOS Meningitis includes the text string:
VLAD
Other Facts
Attacking the BIOS was an uncommon, but sometimes destructive feature on viruses from the 1990's into the early 2000's. CIH, Kriz and Magistr were more famous and intentionally destructive viruses that tried to attack the BIOS. BIOS Meningitis however was relatively harmless.
Sources
Original research by JPanic aka @JPanicVX