Modified by: Joachim Suico
ALIASES:

Rootkit.Win32.Mybios.a (Kaspersky); Rootkit.Win32.Mybios (Ikarus); Trojan.MyBios (ClamAV)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 130,048 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 06 Nov 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %User Temp%\hook.rom
  • %System Root%\my.sys
  • %System%\drivers\bios.sys1 (renamed later. check NOTES)
  • %System%\drivers\bios.sys2 (renamed later. check NOTES)
  • %User Temp%\{variable name}.tmp (renamed later. check NOTES)

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

NOTES:

This malware is a Basic input/output system (BIOS) and Master Boot Record (MBR) infector.

To load its component files, the malware stops the service "Beep". It replaces the legitimate file beep.sys in the %System%\drivers and %System%\dllcache with its own driver:

  • The legitimate file %System%\drivers\beep.sys is renamed to %System%\drivers\beep.sys.bak.
  • The malicious file %System%\drivers\bios.sys1 is renamed to %System%\drivers\beep.sys .
  • The malicious file %System%\drivers\bios.sys2 is renamed to %System%\dllcache\beep.sys.
  • The malicious file %User Temp%\{Variable name}.tmp is renamed to %System%\drivers\bios.sys.
  • The malicious file %User Temp%\{Variable name}.tmp is renamed to %User Temp%\hook.rom.

It then starts the service "Beep" again to load its own component. It restores the original files once execution is completed. This malicious beep.sys/bios.sys is responsible for the I/O communication between user and kernel modes, as well as the undocumented "flashing" method to modify the BIOS. The infected BIOS infects the MBR with the contents of hook.room. If infecting the BIOS fails, it directly infects the MBR with the contents of hook.rom.