• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Someone locked you out of your BIOS, never ferr.

M

mm

Flightless Bird
I think a virus put a BIOS password in my friend's HP Mini 1000
netbook. I know I didn't do it, and I know it had malware. I've read
online several other stories from those who never set a password and
are still stuck with one.

I read about one repair shop that wanted 325 dollars to unlock the
BIOS.

Another website wanted $50,

But Dogbert has programs to do it for free!

For HP, Dell, Fujitsu, Samsung, Compaq, and all that use Phoenix
bioses.

Check it out.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

Let's hear it for Dogbert! [enormous applause]

I don't know if he says it, but the hash number to convert shows up
after you enter the wrong password three times in a row.

(add more newsgroups, had to split into 2 or more posts)
microsoft.public.windowsxp.general,alt.comp.os.windows-xp,comp.sys.hp.misc,comp.sys.hp.hardware,
comp.sys.laptops,alt.comp.virus,alt.comp.anti-virus

And he gives his source code too. Actually everything is in the 3
lines after the comments. Here they are for an HP netbook, for
example, but you have to look at the page too:

def decode(code):
table = {'1': '3', '0': '1', '3': 'F', '2': '7', '5': 'Q',
'4': 'V', '7': 'X', '6': 'G', '9': 'O', '8': 'U', 'a': 'C', 'c': 'E',
'b': 'P', 'e': 'M', 'd': 'T', 'g': 'H', 'f': '8', 'i': 'Y', 'h': 'Z',
'k': 'S', 'j': 'W', 'm': '4', 'l': 'K', 'o': 'J', 'n': '9', 'q': '5',
'p': '2', 's': 'N', 'r': 'B', 'u': 'L', 't': 'A', 'w': 'D', 'v': '6',
'y': 'I', 'x': '4', 'z': '0'}

That is:
'1': '3',
'0': '1',
'3': 'F',
'2': '7',
'5': 'Q',
'4': 'V',
'7': 'X',
'6': 'G',
'9': 'O',
'8': 'U',
'a': 'C',
'c': 'E',
'b': 'P',
'e': 'M',
'd': 'T',
'g': 'H',
'f': '8',
'i': 'Y',
'h': 'Z',
'k': 'S',
'j': 'W',
'm': '4',
'l': 'K',
'o': 'J',
'n': '9',
'q': '5',
'p': '2',
's': 'N',
'r': 'B',
'u': 'L',
't': 'A',
'w': 'D',
'v': '6',
'y': 'I',
'x': '4',
'z': '0'

Which for some reason is 18 pairs of numbers or letters and what
character they should be converted to, each pair in reverse order from
the normal order of numbers or letters. As in a, c, b, d, f, e.... Do
you know why he did it that way? Anyhow, logically, if not
programically, it is the same as what follows so you don't even need
the program to do a mere 10 characters. Don't forget, this one is
just HP netbooks.

0: 1,
1: 3,
2: 7,
3: F,
4: V,
5: Q,
6: G,
7: X,
8: U,
9: O,
a: C,
b: P,
c: E,
d: T,
e: M,
f: 8,
g: H,
h: Z,
i: Y,
j: W,
k: S,
l: K,
m: 4,
n: 9,
o: J,
p: 2,
q: 5,
r: B,
s: N,
t: A,
u: L,
v: 6,
w: D,
x: 4,
y: I,
z: 0

Come to think of it, if the encoding is just simple replacement of one
character with another, it would be easy in most cases to figure out
the code. Just get a simlar computer, set a password for the BIOS
using no character more than once, refuse to put the right password in
until you get the hash code at the end, and record the mapping. Do it
again with different passwords until you get all 36 characters. But
Dogbert has done this for you for many many computers. Let's hear it
for Dogbert! [thunderous applause]


Yes, I'm sure the malware did it, maybe to keep a user from changing
the boot order so that booting from the USB came first. Fortunately,
I had changed it already (although the virus seems to have changed it
back.) and also fortunately this HP unit has a separate, afaik
non-password-protectable screen that allows a one-shot change in boot
order.
 
D

David H. Lipman

Flightless Bird
From: "mm" <NOPSAMmm2005@bigfoot.com>

| I think a virus put a BIOS password in my friend's HP Mini 1000
| netbook. I know I didn't do it, and I know it had malware. I've read
| online several other stories from those who never set a password and
| are still stuck with one.

< snip >

You've been making quite a few posts but it is time for you to realize that all viruses
are malware but not all malware are viruses. There are but a handful of true viruses and
dozens of worms but the vast majority are classified as some form of trojan.

Malware will not password the BIOS. It is an illogical payload. The malicious actor who
wrote the malware gains no benefit for himself nor a given cause or objective. It doesn't
help in the malware's self preservation nor can it have an effect on the OS of the
platform. In fact a BIOS password is OS independent.

It is like all the crap I find on my user's desktops and notebooks. When confronted they
almost always say they didn't put it there. OK, sometimes a toolbar or other software is
packaged with an update and I'll forgive them. But often I find "stuff" that got there
because it was deliberately installed. They put it there but won't take responsibility
for the action.

Someone set the BIOS password and it wasn't malware.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
P

Peter Foldes

Flightless Bird
Forgot to mention. You also multiposted this aside from all the ones you crossposted
to.

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect
 
M

mm

Flightless Bird
On Sat, 9 Oct 2010 23:14:19 -0400, "Peter Foldes" <okf22@hotmail.com>
wrote:

>mm
>
>And you have multiposted this to a few other groups.


Yes, I have.
>
>Kindly read the following
>
>http://www.blakjak.demon.co.uk/mul_crss.htm


Okay. I don't see how this applies to my post.

"Cross-posting is often wrong, because people tend to cross-post to
unsuitable groups.", but I didn't. Every group I chose had an
interest in this. Yes, the BIOS is unrelated to the operating system,
but everyone in those groups has to worry about his BIOS once in a
while. The people in the XP groups have helped me a lot and this was a
chance for me to help them.

"Multi-posting is a waste of bandwidth, money, and people's time, with
no advantages whatever, and should never be indulged in. "

That refers to muli-posting when cross-posting would have been
possible. But it wasn't fully possible here.

I split the groups into 2 sections because my news reader wouldn't let
me send to so many at one time. I wasn't asking for help; I wasn't
getting anything out of this for myself. I was telling people about a
valuable service that could save them 50 or 325 dollars, and still
allow them access to their BIOS for free, if they forgot their
password or someone or thing put one on without telling them. If they
recognize the subject line, they don't have to read it more than once,
or even once. I think people would rather get this twice than not at
all.
 
F

FromTheRafters

Flightless Bird
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i8r4bv01a5r@news7.newsguy.com...
> From: "mm" <NOPSAMmm2005@bigfoot.com>
>
> | I think a virus put a BIOS password in my friend's HP Mini 1000
> | netbook. I know I didn't do it, and I know it had malware. I've
> read
> | online several other stories from those who never set a password and
> | are still stuck with one.
>
> < snip >
>
> You've been making quite a few posts but it is time for you to realize
> that all viruses
> are malware but not all malware are viruses. There are but a handful
> of true viruses and
> dozens of worms but the vast majority are classified as some form of
> trojan.
>
> Malware will not password the BIOS. It is an illogical payload. The
> malicious actor who
> wrote the malware gains no benefit for himself nor a given cause or
> objective. It doesn't
> help in the malware's self preservation nor can it have an effect on
> the OS of the
> platform. In fact a BIOS password is OS independent.


It seems to me that there *would* be a slight advantage to making it
hard for the average victim (user) to access a way to clean boot an
infected machine. Besides, a payload doesn't *have* to be beneficial to
*anyone* (CIH's BIOS corruption for instance).

It's not likely that any specific mobile code malware would do this
considering all of the differences in settings that would be encountered
as it spread. Plus, it is trivial to set it back the way it should be by
dis-validating the checksum via the port access (or removing the
battery) - this usually results in the BIOS routine calling up the CMOS
Setup program for you.

I can envision malware with a targeted payload (specific BIOS being used
by the intended victim) where this could be done, but it would be easily
enough undone so as to make it not worthwhile. It reminds me again of my
appending @autoexec to my uncle's autoexec.bat file, it makes it
difficult to boot, but not insurmountable, to fix.
 
D

David H. Lipman

Flightless Bird
From: "FromTheRafters" <erratic@nomail.afraid.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:i8r4bv01a5r@news7.newsguy.com...
>> From: "mm" <NOPSAMmm2005@bigfoot.com>


>> | I think a virus put a BIOS password in my friend's HP Mini 1000
>> | netbook. I know I didn't do it, and I know it had malware. I've
>> read
>> | online several other stories from those who never set a password and
>> | are still stuck with one.


>> < snip >


>> You've been making quite a few posts but it is time for you to realize
>> that all viruses
>> are malware but not all malware are viruses. There are but a handful
>> of true viruses and
>> dozens of worms but the vast majority are classified as some form of
>> trojan.


>> Malware will not password the BIOS. It is an illogical payload. The
>> malicious actor who
>> wrote the malware gains no benefit for himself nor a given cause or
>> objective. It doesn't
>> help in the malware's self preservation nor can it have an effect on
>> the OS of the
>> platform. In fact a BIOS password is OS independent.


| It seems to me that there *would* be a slight advantage to making it
| hard for the average victim (user) to access a way to clean boot an
| infected machine. Besides, a payload doesn't *have* to be beneficial to
| *anyone* (CIH's BIOS corruption for instance).

| It's not likely that any specific mobile code malware would do this
| considering all of the differences in settings that would be encountered
| as it spread. Plus, it is trivial to set it back the way it should be by
| dis-validating the checksum via the port access (or removing the
| battery) - this usually results in the BIOS routine calling up the CMOS
| Setup program for you.

| I can envision malware with a targeted payload (specific BIOS being used
| by the intended victim) where this could be done, but it would be easily
| enough undone so as to make it not worthwhile. It reminds me again of my
| appending @autoexec to my uncle's autoexec.bat file, it makes it
| difficult to boot, but not insurmountable, to fix.



Assuming malware did indeed password protect the BIOS entres, are you saying it would be
an advantage to the malware that you couldn't, for example, change the Boot Order ?



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
F

FromTheRafters

Flightless Bird
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i8se420tnm@news6.newsguy.com...
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news:i8r4bv01a5r@news7.newsguy.com...
>>> From: "mm" <NOPSAMmm2005@bigfoot.com>

>
>>> | I think a virus put a BIOS password in my friend's HP Mini 1000
>>> | netbook. I know I didn't do it, and I know it had malware. I've
>>> read
>>> | online several other stories from those who never set a password
>>> and
>>> | are still stuck with one.

>
>>> < snip >

>
>>> You've been making quite a few posts but it is time for you to
>>> realize
>>> that all viruses
>>> are malware but not all malware are viruses. There are but a
>>> handful
>>> of true viruses and
>>> dozens of worms but the vast majority are classified as some form of
>>> trojan.

>
>>> Malware will not password the BIOS. It is an illogical payload.
>>> The
>>> malicious actor who
>>> wrote the malware gains no benefit for himself nor a given cause or
>>> objective. It doesn't
>>> help in the malware's self preservation nor can it have an effect on
>>> the OS of the
>>> platform. In fact a BIOS password is OS independent.

>
> | It seems to me that there *would* be a slight advantage to making it
> | hard for the average victim (user) to access a way to clean boot an
> | infected machine. Besides, a payload doesn't *have* to be beneficial
> to
> | *anyone* (CIH's BIOS corruption for instance).
>
> | It's not likely that any specific mobile code malware would do this
> | considering all of the differences in settings that would be
> encountered
> | as it spread. Plus, it is trivial to set it back the way it should
> be by
> | dis-validating the checksum via the port access (or removing the
> | battery) - this usually results in the BIOS routine calling up the
> CMOS
> | Setup program for you.
>
> | I can envision malware with a targeted payload (specific BIOS being
> used
> | by the intended victim) where this could be done, but it would be
> easily
> | enough undone so as to make it not worthwhile. It reminds me again
> of my
> | appending @autoexec to my uncle's autoexec.bat file, it makes it
> | difficult to boot, but not insurmountable, to fix.
>
>
>
> Assuming malware did indeed password protect the BIOS entres, are you
> saying it would be
> an advantage to the malware that you couldn't, for example, change the
> Boot Order ?


It might necessitate needing to slave the drive to a surrogate, if you
cannot boot from floppy, cd, or usb device. This, of course, assumes
that the malware could have changed settings such as the boot order, or
somehow otherwise made the floppy, cd, or usb device unusable for
booting. This just seems like an extension to the disabling of safe-mode
or corruption of restore points.

Not much a of an incentive there for malware writers to bother with it
though, I'll admit.
 
F

FromTheRafters

Flightless Bird
"mm" <NOPSAMmm2005@bigfoot.com> wrote in message
news:ll32b6dbjasv168jvt2rnniucmc1mgvkv2@4ax.com...

[...]

> Yes, I'm sure the malware did it, maybe to keep a user from changing
> the boot order so that booting from the USB came first.


What malware did this?
 
D

David H. Lipman

Flightless Bird
From: "FromTheRafters" <erratic@nomail.afraid.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:i8se420tnm@news6.newsguy.com...
>> From: "FromTheRafters" <erratic@nomail.afraid.org>


>> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
>> | news:i8r4bv01a5r@news7.newsguy.com...
>>>> From: "mm" <NOPSAMmm2005@bigfoot.com>


>>>> | I think a virus put a BIOS password in my friend's HP Mini 1000
>>>> | netbook. I know I didn't do it, and I know it had malware. I've
>>>> read
>>>> | online several other stories from those who never set a password
>>>> and
>>>> | are still stuck with one.


>>>> < snip >


>>>> You've been making quite a few posts but it is time for you to
>>>> realize
>>>> that all viruses
>>>> are malware but not all malware are viruses. There are but a
>>>> handful
>>>> of true viruses and
>>>> dozens of worms but the vast majority are classified as some form of
>>>> trojan.


>>>> Malware will not password the BIOS. It is an illogical payload.
>>>> The
>>>> malicious actor who
>>>> wrote the malware gains no benefit for himself nor a given cause or
>>>> objective. It doesn't
>>>> help in the malware's self preservation nor can it have an effect on
>>>> the OS of the
>>>> platform. In fact a BIOS password is OS independent.


>> | It seems to me that there *would* be a slight advantage to making it
>> | hard for the average victim (user) to access a way to clean boot an
>> | infected machine. Besides, a payload doesn't *have* to be beneficial
>> to
>> | *anyone* (CIH's BIOS corruption for instance).


>> | It's not likely that any specific mobile code malware would do this
>> | considering all of the differences in settings that would be
>> encountered
>> | as it spread. Plus, it is trivial to set it back the way it should
>> be by
>> | dis-validating the checksum via the port access (or removing the
>> | battery) - this usually results in the BIOS routine calling up the
>> CMOS
>> | Setup program for you.


>> | I can envision malware with a targeted payload (specific BIOS being
>> used
>> | by the intended victim) where this could be done, but it would be
>> easily
>> | enough undone so as to make it not worthwhile. It reminds me again
>> of my
>> | appending @autoexec to my uncle's autoexec.bat file, it makes it
>> | difficult to boot, but not insurmountable, to fix.




>> Assuming malware did indeed password protect the BIOS entres, are you
>> saying it would be
>> an advantage to the malware that you couldn't, for example, change the
>> Boot Order ?


| It might necessitate needing to slave the drive to a surrogate, if you
| cannot boot from floppy, cd, or usb device. This, of course, assumes
| that the malware could have changed settings such as the boot order, or
| somehow otherwise made the floppy, cd, or usb device unusable for
| booting. This just seems like an extension to the disabling of safe-mode
| or corruption of restore points.

| Not much a of an incentive there for malware writers to bother with it
| though, I'll admit.

No but it is a VALID point. Thank you.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
D

Dave Cohen

Flightless Bird
On 10/10/2010 10:09 AM, FromTheRafters wrote:
> "mm"<NOPSAMmm2005@bigfoot.com> wrote in message
> news:ll32b6dbjasv168jvt2rnniucmc1mgvkv2@4ax.com...
>
> [...]
>
>> Yes, I'm sure the malware did it, maybe to keep a user from changing
>> the boot order so that booting from the USB came first.

>
> What malware did this?
>
>

Is that a serious question?
 
F

FromTheRafters

Flightless Bird
"Dave Cohen" <user@example.net> wrote in message
news:i8skh2$los$1@news.eternal-september.org...
> On 10/10/2010 10:09 AM, FromTheRafters wrote:
>> "mm"<NOPSAMmm2005@bigfoot.com> wrote in message
>> news:ll32b6dbjasv168jvt2rnniucmc1mgvkv2@4ax.com...
>>
>> [...]
>>
>>> Yes, I'm sure the malware did it, maybe to keep a user from changing
>>> the boot order so that booting from the USB came first.

>>
>> What malware did this?
>>
>>

> Is that a serious question?


Yes, if the OP is sure, then there should be more information.
 
M

mm

Flightless Bird
On Sun, 10 Oct 2010 11:13:03 -0400, "FromTheRafters"
<erratic@nomail.afraid.org> wrote:

>"Dave Cohen" <user@example.net> wrote in message
>news:i8skh2$los$1@news.eternal-september.org...
>> On 10/10/2010 10:09 AM, FromTheRafters wrote:
>>> "mm"<NOPSAMmm2005@bigfoot.com> wrote in message
>>> news:ll32b6dbjasv168jvt2rnniucmc1mgvkv2@4ax.com...
>>>
>>> [...]
>>>
>>>> Yes, I'm sure the malware did it, maybe to keep a user from changing
>>>> the boot order so that booting from the USB came first.
>>>
>>> What malware did this?
>>>
>>>

>> Is that a serious question?

>
>Yes, if the OP is sure, then there should be more information.


I wanted to give a longer answer -- well, it came out pretty long
after all -- but in short, I was handed a netbook because it wouldn't
boot, malware was suspected, and just looking around, I checked out
the BIOS and I had no trouble and no need for a password getting into
it.

I checked out the computer with AVG from a flashdrive and it had at
least one virus. It ran again after AVG removed that, but 10 minutes
later, I got one of those screens saying there was a virus, which was
displayed by malware present on the computer, and whether it made
things worse or not, I fell for it and clicked on something, and then
it wouldnt' boot. I used 6 different Boot Rescue anti-virus CD's and
each time I would have to press F9 to get it to boot from the CD.

Once in the dim light with the small print on the F-keys, I missed F9
and hit F10, which goes into the BIOS, and it displayed a simple black
screen with What is your CURRENT password? Guessing didn't work. I
tried F10 a few more times with the same result.

Googling, I found other examples of people who never set a BIOS
password but who go the same message I did.


I never set a password -- there is no reason I would do that, I don't
do that, and there is no way I would forget doing that if I did it.
The password was some strange set of 10 letters and numbers that would
be impossible for me to remember, and whenever I do set a password,
which is only when an ISP or a website requires one, I use one that is
easy to remember.

No password was required 3 or 4 days earlier, I was the only one who
touched the computer during all that time, and it was required 3 or 4
days after it wasn't. I conclude with a very high level of confidence
that the malware changed things and made the password required.


If malware can do all the other things it does, entering a number in
the password storage area doesn't seem much harder.

After 3 failed attempts to enter a password, most computer brands will
display a number, a hash number, which it turns out is directly
related to the password, and this HP did that. The programs at the web
page I gave decoded the hash number, and it worked the first time.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

The rest of the computer is working fine now too.
 
F

FromTheRafters

Flightless Bird
"mm" <NOPSAMmm2005@bigfoot.com> wrote in message
news:uv09b6dmkvoh93l8h2m2s8l0rolpvpv1ms@4ax.com...
> On Sun, 10 Oct 2010 11:13:03 -0400, "FromTheRafters"
> <erratic@nomail.afraid.org> wrote:
>
>>"Dave Cohen" <user@example.net> wrote in message
>>news:i8skh2$los$1@news.eternal-september.org...
>>> On 10/10/2010 10:09 AM, FromTheRafters wrote:
>>>> "mm"<NOPSAMmm2005@bigfoot.com> wrote in message
>>>> news:ll32b6dbjasv168jvt2rnniucmc1mgvkv2@4ax.com...
>>>>
>>>> [...]
>>>>
>>>>> Yes, I'm sure the malware did it, maybe to keep a user from
>>>>> changing
>>>>> the boot order so that booting from the USB came first.
>>>>
>>>> What malware did this?
>>>>
>>>>
>>> Is that a serious question?

>>
>>Yes, if the OP is sure, then there should be more information.

>
> I wanted to give a longer answer -- well, it came out pretty long
> after all -- but in short, I was handed a netbook because it wouldn't
> boot, malware was suspected, and just looking around, I checked out
> the BIOS and I had no trouble and no need for a password getting into
> it.
>
> I checked out the computer with AVG from a flashdrive and it had at
> least one virus. It ran again after AVG removed that, but 10 minutes
> later, I got one of those screens saying there was a virus, which was
> displayed by malware present on the computer, and whether it made
> things worse or not, I fell for it and clicked on something, and then
> it wouldnt' boot. I used 6 different Boot Rescue anti-virus CD's and
> each time I would have to press F9 to get it to boot from the CD.
>
> Once in the dim light with the small print on the F-keys, I missed F9
> and hit F10, which goes into the BIOS, and it displayed a simple black
> screen with What is your CURRENT password? Guessing didn't work. I
> tried F10 a few more times with the same result.


It is possible that *this* was the problem.

....and it's CMOS not BIOS ... if your BIOS is passworded, you can't
boot.

> Googling, I found other examples of people who never set a BIOS
> password but who go the same message I did.


....and they probably all screamed "virus" even though it might have been
simple corruption or a weak CMOS battery.

> I never set a password -- there is no reason I would do that, I don't
> do that, and there is no way I would forget doing that if I did it.


> The password was some strange set of 10 letters and numbers that would
> be impossible for me to remember, and whenever I do set a password,
> which is only when an ISP or a website requires one, I use one that is
> easy to remember.


When a password recovery program gives you a password that works, it
doesn't necessarily mean that it is *the* password entered by the user.
Generally, it is an *equivalent* password arrived at by running an
algorithm against the password hash value.

This means that when you set it to "Fluffy", another *equivalent*
password might be æas¶o½¿

> No password was required 3 or 4 days earlier, I was the only one who
> touched the computer during all that time, and it was required 3 or 4
> days after it wasn't. I conclude with a very high level of confidence
> that the malware changed things and made the password required.


Okay.

> If malware can do all the other things it does, entering a number in
> the password storage area doesn't seem much harder.


No, in fact it would be easy enough. It's just that nobody seems to be
aware of any malware programs that do so. Probably because it would be
viewed as a waste of effort for so little gain by the malware writers.

> After 3 failed attempts to enter a password, most computer brands will
> display a number, a hash number, which it turns out is directly
> related to the password,


Hashes are usually compression algorithms, a smaller representation of
data that is *nearly* as unique as the data it represents. IOW the hash
is directly related to the password, but it may be directly related to
other possible passwords as well.

> and this HP did that. The programs at the web
> page I gave decoded the hash number, and it worked the first time.
>
> http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html
>
> The rest of the computer is working fine now too.


What hash value do you get when the password is blank, and you try the
wrong password three times?

Just curious,
 
Top