Description

This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.

14) Are there CMOS viruses?

Although a virus CAN write to (and corrupt) a PC's CMOS memory,
it can NOT "hide" there. The CMOS memory used for system
information (and backed up by battery power) is not "addressable,"
and requires Input/Output ("I/O") instructions to be usable.

Data stored there are not loaded from there and executed, so virus
code written to CMOS memory would still need to infect an
executable program in order to load and execute whatever it wrote.

A virus could use CMOS memory to store part of its code,
and some tamper with the CMOS Setup's values. However,
executable code stored there must first be first moved to
DOS memory in order to be executed. Therefore, a virus
can NOT spread from, or be hidden in CMOS memory. No known
viruses store code in CMOS memory.

There are also reports of a trojanized AMI BIOS - this is
not a virus, but a 'joke' program which does not replicate.
The malicious program is not on the disk, nor in CMOS, but
was directly coded into the BIOS ROM chip on the system board.
by a rogue programmer at American Megatrends Inc., the
manufacturers.

If the date is 13th of November, it stops the bootup process
and plays 'Happy Birthday' through the PC speaker. In this
case, the only cure is a new BIOS (or motherboard) - contact
your dealer. The trojanized chip run was BIOS version M82C498
Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy
Kuo's "What is NOT a virus" paper.

- From time to time there are reports from Mac users that the
message 'welcome datacomp' appears in their documents without
having been typed. This appears to be the result of using a
trojanised 3rd-party Mac-compatible keyboard with this 'joke'
hard-coded into the keyboard ROM. It's not a virus - it can't
infect anything - and the only cure is to replace the keyboard.

Continue to:

• prev: 14) What are rescue disks?
• Index
• next: 14) How do I know I'm FTP-ing 'good' software? (Computer virus)