Someone locked you out of your BIOS, never ferr.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I think a virus put a BIOS password in my friend's HP Mini 1000
netbook.  I know I didn't do it, and I know it had malware.  I've read
online several other stories from those who never set a password and
are still stuck with one.

I read about one repair shop that wanted 325 dollars to unlock the
BIOS.

Another website wanted $50,

But Dogbert has programs to do it for free!

For HP, Dell, Fujitsu, Samsung, Compaq, and all that use Phoenix
bioses.

Check it out.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

Let's hear it for Dogbert! [enormous applause]

I don't know if he says it, but the hash number to convert shows up
after you enter the wrong password three times in a row.

(add more newsgroups, had to split into 2 or more posts)
microsoft.public.windowsxp.general,alt.comp.os.windows-xp,comp.sys.hp.misc,comp.sys.hp.hardware,
comp.sys.laptops,alt.comp.virus,alt.comp.anti-virus

And he gives his source code too.  Actually everything is in the 3
lines after the comments.  Here they are for an HP netbook, for
example, but you have to look at the page too:

def decode(code):
    table = {'1': '3', '0': '1', '3': 'F', '2': '7', '5': 'Q',
'4': 'V', '7': 'X', '6': 'G', '9': 'O', '8': 'U', 'a': 'C', 'c': 'E',
'b': 'P', 'e': 'M', 'd': 'T', 'g': 'H', 'f': '8', 'i': 'Y', 'h': 'Z',
'k': 'S', 'j': 'W', 'm': '4', 'l': 'K', 'o': 'J', 'n': '9', 'q': '5',
'p': '2', 's': 'N', 'r': 'B', 'u': 'L', 't': 'A', 'w': 'D', 'v': '6',
'y': 'I', 'x': '4', 'z': '0'}

That is:
'1': '3',
'0': '1',
'3': 'F',
'2': '7',
'5': 'Q',
'4': 'V',
'7': 'X',
'6': 'G',
'9': 'O',
'8': 'U',
'a': 'C',
'c': 'E',
'b': 'P',
'e': 'M',
'd': 'T',
'g': 'H',
'f': '8',
'i': 'Y',
'h': 'Z',
'k': 'S',
'j': 'W',
'm': '4',
'l': 'K',
'o': 'J',
'n': '9',
'q': '5',
'p': '2',
's': 'N',
'r': 'B',
'u': 'L',
't': 'A',
'w': 'D',
'v': '6',
'y': 'I',
'x': '4',
'z': '0'

Which for some reason is 18 pairs of numbers or letters and what
character they should be converted to, each pair in reverse order from
the normal order of numbers or letters. As in a, c, b, d, f, e....  Do
you know why he did it that way?   Anyhow, logically, if not
programically, it is the same as what follows so you don't even need
the program to do a mere 10 characters.  Don't forget, this one is
just HP netbooks.

0: 1,
1: 3,
2: 7,
3: F,
4: V,
5: Q,
6: G,
7: X,
8: U,
9: O,
a: C,
b: P,
c: E,
d: T,
e: M,
f: 8,
g: H,
h: Z,
i: Y,
j: W,
k: S,
l: K,
m: 4,
n: 9,
o: J,
p: 2,
q: 5,
r: B,
s: N,
t: A,
u: L,
v: 6,
w: D,
x: 4,
y: I,
z: 0

Come to think of it, if the encoding is just simple replacement of one
character with another, it would be easy in most cases to figure out
the code.  Just get a simlar computer, set a password for the BIOS
using no character more than once, refuse to put the right password in
until you get the hash code at the end, and record the mapping.  Do it
again with different passwords until you get all 36 characters.  But
Dogbert has done this for you for many many computers.  Let's hear it
for Dogbert!  [thunderous applause]


 Yes, I'm sure the malware did it, maybe to keep a user from changing
the boot order so that booting from the USB came first.  Fortunately,
I had changed it already (although the virus seems to have changed it
back.) and also fortunately this HP unit has a separate, afaik
non-password-protectable screen that allows a one-shot change in boot
order.

Re: Someone locked you out of your BIOS, never ferr.


| I think a virus put a BIOS password in my friend's HP Mini 1000
| netbook.  I know I didn't do it, and I know it had malware.  I've read
| online several other stories from those who never set a password and
| are still stuck with one.

< snip >

You've been making quite a few posts but it is time for you to realize that all
viruses
are malware but not all malware are viruses.  There are but a handful of true
viruses and
dozens of worms but the vast majority are classified as some form of trojan.

Malware will not password the BIOS.  It is an illogical payload.  The malicious
actor who
wrote the malware gains no benefit for himself nor a given cause or objective.
It doesn't
help in the malware's self preservation nor can it have an effect on the OS of
the
platform.  In fact a BIOS password is OS independent.

It is like all the crap I find on my user's desktops and notebooks.  When
confronted they
almost always say they didn't put it there.  OK, sometimes a toolbar or other
software is
packaged with an update and I'll forgive them.  But often I find "stuff" that
got there
because it was deliberately installed.  They put it there but won't take
responsibility
for the action.

Someone set the BIOS password and it wasn't malware.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Someone locked you out of your BIOS, never ferr.

Quoted text here. Click to load it

It seems to me that there *would* be a slight advantage to making it
hard for the average victim (user) to access a way to clean boot an
infected machine. Besides, a payload doesn't *have* to be beneficial to
*anyone* (CIH's BIOS corruption for instance).

It's not likely that any specific mobile code malware would do this
considering all of the differences in settings that would be encountered
as it spread. Plus, it is trivial to set it back the way it should be by
dis-validating the checksum via the port access (or removing the
battery) - this usually results in the BIOS routine calling up the CMOS
Setup program for you.

I can envision malware with a targeted payload (specific BIOS being used
by the intended victim) where this could be done, but it would be easily
enough undone so as to make it not worthwhile. It reminds me again of my
appending @autoexec to my uncle's autoexec.bat file, it makes it
difficult to boot, but not insurmountable, to fix.




Re: Someone locked you out of your BIOS, never ferr.



Quoted text here. Click to load it




| It seems to me that there *would* be a slight advantage to making it
| hard for the average victim (user) to access a way to clean boot an
| infected machine. Besides, a payload doesn't *have* to be beneficial to
| *anyone* (CIH's BIOS corruption for instance).

| It's not likely that any specific mobile code malware would do this
| considering all of the differences in settings that would be encountered
| as it spread. Plus, it is trivial to set it back the way it should be by
| dis-validating the checksum via the port access (or removing the
| battery) - this usually results in the BIOS routine calling up the CMOS
| Setup program for you.

| I can envision malware with a targeted payload (specific BIOS being used
| by the intended victim) where this could be done, but it would be easily
| enough undone so as to make it not worthwhile. It reminds me again of my
| appending @autoexec to my uncle's autoexec.bat file, it makes it
| difficult to boot, but not insurmountable, to fix.



Assuming malware did indeed password protect the BIOS entres, are you saying it
would be
an advantage to the malware that you couldn't, for example, change the Boot
Order ?



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Someone locked you out of your BIOS, never ferr.

Quoted text here. Click to load it

It might necessitate needing to slave the drive to a surrogate, if you
cannot boot from floppy, cd, or usb device. This, of course, assumes
that the malware could have changed settings such as the boot order, or
somehow otherwise made the floppy, cd, or usb device unusable for
booting. This just seems like an extension to the disabling of safe-mode
or corruption of restore points.

Not much a of an incentive there for malware writers to bother with it
though, I'll admit.




Re: Someone locked you out of your BIOS, never ferr.




Quoted text here. Click to load it










| It might necessitate needing to slave the drive to a surrogate, if you
| cannot boot from floppy, cd, or usb device. This, of course, assumes
| that the malware could have changed settings such as the boot order, or
| somehow otherwise made the floppy, cd, or usb device unusable for
| booting. This just seems like an extension to the disabling of safe-mode
| or corruption of restore points.

| Not much a of an incentive there for malware writers to bother with it
| though, I'll admit.

No but it is a VALID point.  Thank you.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Someone locked you out of your BIOS, never ferr.

On Sun, 10 Oct 2010 08:19:49 -0400, "FromTheRafters"
your BIOS, never ferr.:

Quoted text here. Click to load it

Good point.
--
Work is the curse of the drinking class.

Re: Someone locked you out of your BIOS, never ferr.


| On Sun, 10 Oct 2010 08:19:49 -0400, "FromTheRafters"
| your BIOS, never ferr.:

Quoted text here. Click to load it

| Good point.

Yes but in that case corruption IS the payload.  the CIH (aka; Chernobyl) also
deletes
data from the hard disk.  It does it on a calendar basis.

While Today the great preponderance is based upon financial incentive, when the
CIH was
written it was for bragging rights or just be mischievious.

The objective was to deliberately cause HARM to the affected computer.

Password protecting the BIOS has very little potential even for being
mischievious.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Someone locked you out of your BIOS, never ferr.

Quoted text here. Click to load it

CIH delivers a harsh message indeed, but around that time most
self-distributing malware (viruses and worms) were used for delivering
messages from simple text outputted to the screen, to data destruction
(sometimes extortion through cryptovirology). Now, it is all about
stealing computing power and hiding that fact as well as possible, for
as long as possible, so as to maintain that ability (perhaps to send a
bigger message later). They all want to 'do stuff' that is network
related (updating themselves, communicating with other fragments,
sending out user keystroke logs, etc...), which can be detected by
network administrators even though they might be fairly well hidden from
the local user.

Old style viruses didn't have to expend energy to conceal their
activity, they could just lay dormant until their host program was
executed. People today tend to forget that that scenario can still be a
threat - witness Stuxnet (a worm), where it's *really* all about the
payload, not the delivery methods.



Re: Someone locked you out of your BIOS, never ferr.

mm

And you have multiposted this to a few other groups.

Kindly read the following

http://www.blakjak.demon.co.uk/mul_crss.htm

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect



Re: Someone locked you out of your BIOS, never ferr.

Forgot to mention. You also multiposted this aside from all the ones you
crossposted
to.

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect


Re: Someone locked you out of your BIOS, never ferr.

wrote:

Quoted text here. Click to load it

Yes, I have.
Quoted text here. Click to load it

Okay.  I don't see how this applies to my post.  

"Cross-posting is often wrong, because people tend to cross-post to
unsuitable groups.", but I didn't.  Every group I chose had an
interest in this. Yes, the BIOS is unrelated to the operating system,
but everyone in those groups has to worry about his BIOS once in a
while. The people in the XP groups have helped me a lot and this was a
chance for me to help them.

"Multi-posting is a waste of bandwidth, money, and people's time, with
no advantages whatever, and should never be indulged in. "

That refers to muli-posting when cross-posting would have been
possible.  But it wasn't fully possible here.

I split the groups into 2 sections because my news reader wouldn't let
me send to so many at one time.  I wasn't asking for help; I wasn't
getting anything out of this for myself. I was telling people about a
valuable service that could save them 50 or 325 dollars, and still
allow them access to their BIOS for free, if they forgot their
password or someone or thing put one on without telling them. If they
recognize the subject line, they don't have to read it more than once,
or even once.  I think people would rather get this twice than not at
all.


Re: Someone locked you out of your BIOS, never ferr.

wrote Re Someone locked you out of your BIOS, never ferr.:

Quoted text here. Click to load it

Thanks.
--
Work is the curse of the drinking class.

Re: Someone locked you out of your BIOS, never ferr.


[...]

Quoted text here. Click to load it

What malware did this?



Re: Someone locked you out of your BIOS, never ferr.

On 10/10/2010 10:09 AM, FromTheRafters wrote:
Quoted text here. Click to load it
Is that a serious question?

Re: Someone locked you out of your BIOS, never ferr.

Quoted text here. Click to load it

Yes, if the OP is sure, then there should be more information.



Site Timeline