BIOS virus and custom format from Windows 7.

gregrocker · 12 Nov 2011

There is something I suspect is in the boot sector of the HD which Cleaning with Diskpart will solve on installation failures. It works quite frequently. We once thought it required Clean All but that is overkill since it works just as well with Clean. It is one of our first troubleshooting steps for Install failures. I'd like to know exactly what it is, assuming it's corrupt boot code.

Recently we had 2 cases in a row where BIOS wouldn't budge past POST with HD attached, where Cleaning solved it and allowed reinstall. It's a clue.

carwiz · 12 Nov 2011

I'm pretty sure you already know this but I've quoted a summation of the interaction of the BIOS with the boot sector for folks that are trying to follow this. Also add CD to the floppy and USB groups below. (These have VBRs) I've also underlined in the quote what you are probably seeing/fixing.

On IBM PC compatible machines, the BIOS is ignorant of the distinction between Volume Boot Records (VBRs) and Master Boot Records (MBRs), and of partitioning. The firmware simply loads and runs the first sector of the storage device. If the device is a floppy or USB flash drive, that will be a VBR. If the device is a hard disk, that will be an MBR. It is the code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the active partition). The VBR then loads a second-stage bootloader from another location on the disk.

Furthermore, whatever is stored in the first sector of a floppy diskette, USB device, hard disk or any other bootable storage device, is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it's easy to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional boot managers (programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occurs in the form of boot sector viruses.

Jacee · 12 Nov 2011

You might find this article about tdss.tdl4 interesting:
TDSS. TDL-4 - Securelist

rubyrubyroo · 12 Nov 2011

yep it overwrites the 13h interupt in the int tbl to start the 1st portion of the loader (which is one way to stop it from reinfecting upon reboot if you must work on it)

Carwiz...any idea where i could find a BIOS set of code (any newer x64 type machine) for reading through on the subway (any format)

carwiz · 12 Nov 2011

rubyrubyroo said:

Carwiz...any idea where i could find a BIOS set of code (any newer x64 type machine) for reading through on the subway (any format)

I haven't really looked but I'm guessing it could be extracted from a BIOS Flash.
(I won't mention how.) :)

rubyrubyroo · 12 Nov 2011

of that i have no doubt, but I am sure there is some floating around out there, I was just asking if you had any idea of where, but thanks for the answer (it's probibly pretty straight forward to extract, as it makes "injection" or "flashing" a more startghtforward process to preform):)