I don't think he meant you were trolling. I think what he was trying to say is that it sounds so unbelievable that usually only a troll could come up with this kind of crap. We know you aren't a troll mate
Are you doing a full block erase when flashing bios? You need to get that flash cleared as it is clearly hiding is some section that the bios flash isn't overwrite.
Could you point me in the direction of a full block erase of the bios I've pulled the battery in the past, along with leaving the machine battery free and power free for hours hoping any writeable memory to clear
Should be an option on flash utility. Look for an option like clear all blocks, program all blocks, include non critical blocks, etc. If there is any options for preserve * choose none. I haven't seen what HP use, but those options are available with the AFUwin utility I use for my zotac H67.
The flashing process just gives access to selecting the .bin file from external storage and then uploading it/flashing to the chip. Nothing about clearing blocks or anything
Is it a dos executable that you run from a bootable floppy/USB_stick? If so, try running it with the /? or -? argument. It may bring up a list of available flags/switches/arguments. The option to zero the rest of the flash chip may be there. What's really suspicious to me is bullet #11: "System crash during update and restarted" Nothing you did prior to that was out of the ordinary. No stable system should crash during a Windows Update. (have you tried memtest86+ on that system?) It's at that point when you get infected. Do you run these installs at home or at work? It might be interesting to see where it is trying to connect. Is there any way you can deny it access to Internet and look at the connection attempts? (like using a linux router and the tcpdump utility) Or, (full-blown paranoia speaking from this point on) could it be possible that your connection is hijacked and you're receiving updates not from Microsoft but from somebody else?
Bullet 11 isn't really a crash, a reboot command is being issued which is being invoked by what I assume is the virus during the update.. Currently running at home (I Freelance from home) however I did use the In-laws internet in the beginning. As for looking at the out going commands across the network i've not gone that far, i should but i've never done it before. MBAM (boring video is boring) Embed vimeo video MBAM found nothing..
Not sure i can really help but suggest useful information http://en.wikipedia.org/wiki/BIOS#Virus_attacks "Some motherboards have a backup BIOS (sometimes referred to as DualBIOS boards)" "EEPROM chips are advantageous because they can be easily updated by the user; hardware manufacturers frequently issue BIOS updates to upgrade their products, improve compatibility and remove bugs. However, this advantage had the risk that an improperly executed or aborted BIOS update could render the computer or device unusable. To avoid these situations, more recent BIOSes use a "boot block"; a portion of the BIOS which runs first and must be updated separately. This code verifies if the rest of the BIOS is intact (using hash checksums or other methods) before transferring control to it. If the boot block detects any corruption in the main BIOS, it will typically warn the user that a recovery process must be initiated by booting from removable media (floppy, CD or USB memory) so the user can try flashing the BIOS again. Some motherboards have a backup BIOS (sometimes referred to as DualBIOS boards) to recover from BIOS corruptions." "The third BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers Anibal Sacco[9] and Alfredo Ortega, from Core Security Technologies, demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at start-up, even before the operating system is booted. "The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal BIOS flashing procedures. Thus, it requires physical access to the machine, or for the user to be root. Despite these requirements, Ortega underlined the profound implications of his and Sacco's discovery: “We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus.”[10]" http://h30434.www3.hp.com/t5/Other-...e-the-HP-BIOS-update-uefi-utility/td-p/337347 See Mumbodog for the USB tool and instructions.
I've been think about the next steps in this quest and I've hit a small wall with an idea partly due to hour of the night. I want to build a Win7 image inside Virtual Box then build a 'SyS Admin' User account with password protection (Root account) and a standard user account which is set to auto login. Software to install inside this VM will be Comodo Firewall and Killswitch which will be added to the startup services. Also in all of this IE8 removed and FF 13 installed, it also allows for all MS updates to be installed. Then convert the VM to a physical image to mirror via Clonezilla to the infected machine, add all HP drivers. Its the most secure build I can think of. And wait for the white screen of doom... I meet up with a good friend of mine today to discuss this little monster. He's recommended that I report it to (securiteam.org) which I'll do tomorrow and asked for a bios image pull post flash, which is easy enough with (FlashRom). He agrees with my findings that its a UEFI virus that's new in the wild, but his idea is the virus is paravirtualising the environment before it boots (Think ESXI) If so then it'll walk right around my SyS Admin account. All I am going to say is tomorrow is going to be a long one of epicness.
Couple of interesting things, none of which helps much I am afraid. The phone number in the screen shot appears to belong to TIME WARNER COMMUNICATIONS OF HOUSTON, L.P. Cute....very cute. The earliest records I can find of an infection appears in China on a machine that may or may not have UEFI. There aren't enough machine details kicking around to be 100% sure. Other people on the Chinese sites tried sealed new in packet hard drives with virgin installation media and still got it back..So pretty sure it isn't hiding on just the drive..although it does appear to create hidden partitions on the drive. There is a short thread on the AVG forums...someone reported it on a Dell laptop...but the thread has died without resolution. Dell does seem to be a fairly common theme but then there are a lot of Dell's out there so may be coincidence brought on by market share. The machine on AVG was running XP SP2 so IE9 isn't the infection vector and XP SP2 wouldn't be booting via UEFI unless it was dropped into some sort of Bios emulation legacy mode. Jealous really....I want to crack this.
Oh that doesn't fill me with confidence.. One commonality is proprietary hardware (custom motherboards), could it be that there are earlier versions of this virus.. After all it presents via a browser based prompt. (DrJeep is said good friend I met up with yesterday who shall remain anon)
as long as the relationship is platonic.. =] we've had enough of those shenanigans around here it is strange it came back after the flash.. think lysol is onto something with forcing the flash to write all blocks.. there are switches to do that I've just never had or seen a problem like this before.. it is pretty interesting- more than likely a flaw in that model of dell.. keep us posted.. I'd like to know how you guys finally did it myself- I haven't even looked around the net to be honest.. maybe when I'm into the private reserve later
Personally I would love to know how the machine got infected, however the In-laws don't know when it happened until it was too late. They tried to fix it themselves with HP recovery discs after that failed a local computer shop was involved and that information is in the 1st post.
All it would need would be one mistake of someone allowing admin to install something they downloaded. Once you allow admin, there is nothing stopping uefi flash happening in the background. Or it's totally possible it was some driveby thing that took advantage of an unpatched flaw in something on the pc, like IE, Reader... I do believe if you can find the right commands in the dos based uefi tool that you should be able to do a full erase including boot block and if that dosen't get rid of it I don't even know of anything to go on from there. I had to deal with something similar on someones machine a couple years ago and that is what I ended up having to do once I realized it was hiding in the bios, problem solved.
Loosing the will to live now. This mornings efforts I left the machine alone over the weekend so I could read around, it turns out wonderful HP doesn't create easy logical help files for their released tools. Anyway I started to link things together to understand what's go on only to find out 5 minutes ago my hypothesis is a load of BS! My Hypothesis However in light of this it's far more complex, I am now looking deeper into the HP tools to find a ME firmware wiper or clear all blocks tool of sorts. If it bricks it bricks
have been digging around a bit, and, it would appear there might be a process running called wpcguard.exe, which is signed by absolute software corp. looking into absolute software corp, they make a legitimate software's called lojack, lojack is used if your laptop is stolen or whatever, but it appears to be able to do a similar kind of thing as what is happening to your laptop but legitimately. It runs on a process called rpcnet.exe, which, cannot be removed if you flash the bios, you need to use bios wiping tools to actually get rid of the program - once again sounds like what you are experiencing. Nothing you don't already know, but I guess its one step closer. Have you spoken to HP at all? On your virgin install - before your reboot, after you have installed everything have you looked through msconfig and the start up items and services? is there a service "Remote Procedure Call"? or something similar to that? I cant help but think that its funny it always happens after a restart. Next time you get a virgin install (sorry, I know you have done so many) can you grab some screens of msconfig services and startup? EDIT: thinking about it, it wont be called Remote Procedure Call, as I recking its wpcguard.exe running, so W? Procedure Called? or something similar, look through services and start up and see if there is any service running with is initials WPC and disable that at startup. Have you considered making an image of your virgin install along with a recovery CD as then you won't have to install over and over? I dunno if it's possible, just a thought. EDIT EDIT: was a poor translation from the chinese site, the process, is wctguard.exe, or maybe my dyslexic head, probably the latter, but here is sauce http://translate.google.co.uk/trans...a=X&ei=z2cEUM_7K4rktQaNnrSoBg&ved=0CDgQ7gEwAg
Do you have a throwaway drive you can test with, I know I've got a few lying around that are too small to be of much use anymore. Then try flashing the BIOS without any drives connected (preferably with a read only floppy disk) and then do your fresh OS install to the testing drive? That would at least allow you to isolate the probably infected drive from the definitely infected MB in order to determine where the re-infection is coming from. Also on the other machine that you re-partitioned the infected drive on, can you get that configuration setup again and before fdisk run the command "dd if=/dev/urandom of=/dev/sda bs=1M count=100" this will write random characters to the first 100MB of the drive which would change the partition table to an unrecognizable state, basically giving you a blank slate. If you omit the count=100 part it will write over the whole drive but depending on the size that could take a while. EDIT: the make sure to change the /dev/sda portion to the correct drive so that you don't inadvertently destroy the wrong partition table
