Someone locked you out of your BIOS, never ferr.

  • Thread starter Thread starter mm
  • Start date Start date
M

mm

I think a virus put a BIOS password in my friend's HP Mini 1000
netbook. I know I didn't do it, and I know it had malware. I've read
online several other stories from those who never set a password and
are still stuck with one.

I read about one repair shop that wanted 325 dollars to unlock the
BIOS.

Another website wanted $50,

But Dogbert has programs to do it for free!

For HP, Dell, Fujitsu, Samsung, Compaq, and all that use Phoenix
bioses.

Check it out.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

Let's hear it for Dogbert! [enormous applause]

I don't know if he says it, but the hash number to convert shows up
after you enter the wrong password three times in a row.

(add more newsgroups, had to split into 2 or more posts)
microsoft.public.windowsxp.general,alt.comp.os.windows-xp,comp.sys.hp.misc,comp.sys.hp.hardware,
comp.sys.laptops,alt.comp.virus,alt.comp.anti-virus

And he gives his source code too. Actually everything is in the 3
lines after the comments. Here they are for an HP netbook, for
example, but you have to look at the page too:

def decode(code):
table = {'1': '3', '0': '1', '3': 'F', '2': '7', '5': 'Q',
'4': 'V', '7': 'X', '6': 'G', '9': 'O', '8': 'U', 'a': 'C', 'c': 'E',
'b': 'P', 'e': 'M', 'd': 'T', 'g': 'H', 'f': '8', 'i': 'Y', 'h': 'Z',
'k': 'S', 'j': 'W', 'm': '4', 'l': 'K', 'o': 'J', 'n': '9', 'q': '5',
'p': '2', 's': 'N', 'r': 'B', 'u': 'L', 't': 'A', 'w': 'D', 'v': '6',
'y': 'I', 'x': '4', 'z': '0'}

That is:
'1': '3',
'0': '1',
'3': 'F',
'2': '7',
'5': 'Q',
'4': 'V',
'7': 'X',
'6': 'G',
'9': 'O',
'8': 'U',
'a': 'C',
'c': 'E',
'b': 'P',
'e': 'M',
'd': 'T',
'g': 'H',
'f': '8',
'i': 'Y',
'h': 'Z',
'k': 'S',
'j': 'W',
'm': '4',
'l': 'K',
'o': 'J',
'n': '9',
'q': '5',
'p': '2',
's': 'N',
'r': 'B',
'u': 'L',
't': 'A',
'w': 'D',
'v': '6',
'y': 'I',
'x': '4',
'z': '0'

Which for some reason is 18 pairs of numbers or letters and what
character they should be converted to, each pair in reverse order from
the normal order of numbers or letters. As in a, c, b, d, f, e.... Do
you know why he did it that way? Anyhow, logically, if not
programically, it is the same as what follows so you don't even need
the program to do a mere 10 characters. Don't forget, this one is
just HP netbooks.

0: 1,
1: 3,
2: 7,
3: F,
4: V,
5: Q,
6: G,
7: X,
8: U,
9: O,
a: C,
b: P,
c: E,
d: T,
e: M,
f: 8,
g: H,
h: Z,
i: Y,
j: W,
k: S,
l: K,
m: 4,
n: 9,
o: J,
p: 2,
q: 5,
r: B,
s: N,
t: A,
u: L,
v: 6,
w: D,
x: 4,
y: I,
z: 0

Come to think of it, if the encoding is just simple replacement of one
character with another, it would be easy in most cases to figure out
the code. Just get a simlar computer, set a password for the BIOS
using no character more than once, refuse to put the right password in
until you get the hash code at the end, and record the mapping. Do it
again with different passwords until you get all 36 characters. But
Dogbert has done this for you for many many computers. Let's hear it
for Dogbert! [thunderous applause]


Yes, I'm sure the malware did it, maybe to keep a user from changing
the boot order so that booting from the USB came first. Fortunately,
I had changed it already (although the virus seems to have changed it
back.) and also fortunately this HP unit has a separate, afaik
non-password-protectable screen that allows a one-shot change in boot
order.
 
From: "mm" <[email protected]>

| I think a virus put a BIOS password in my friend's HP Mini 1000
| netbook. I know I didn't do it, and I know it had malware. I've read
| online several other stories from those who never set a password and
| are still stuck with one.

< snip >

You've been making quite a few posts but it is time for you to realize that all viruses
are malware but not all malware are viruses. There are but a handful of true viruses and
dozens of worms but the vast majority are classified as some form of trojan.

Malware will not password the BIOS. It is an illogical payload. The malicious actor who
wrote the malware gains no benefit for himself nor a given cause or objective. It doesn't
help in the malware's self preservation nor can it have an effect on the OS of the
platform. In fact a BIOS password is OS independent.

It is like all the crap I find on my user's desktops and notebooks. When confronted they
almost always say they didn't put it there. OK, sometimes a toolbar or other software is
packaged with an update and I'll forgive them. But often I find "stuff" that got there
because it was deliberately installed. They put it there but won't take responsibility
for the action.

Someone set the BIOS password and it wasn't malware.
 
Forgot to mention. You also multiposted this aside from all the ones you crossposted
to.

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect
 
mm

And you have multiposted this to a few other groups.
Click to expand...

Yes, I have.
Kindly read the following

http://www.blakjak.demon.co.uk/mul_crss.htm
Click to expand...

Okay. I don't see how this applies to my post.

"Cross-posting is often wrong, because people tend to cross-post to
unsuitable groups.", but I didn't. Every group I chose had an
interest in this. Yes, the BIOS is unrelated to the operating system,
but everyone in those groups has to worry about his BIOS once in a
while. The people in the XP groups have helped me a lot and this was a
chance for me to help them.

"Multi-posting is a waste of bandwidth, money, and people's time, with
no advantages whatever, and should never be indulged in. "

That refers to muli-posting when cross-posting would have been
possible. But it wasn't fully possible here.

I split the groups into 2 sections because my news reader wouldn't let
me send to so many at one time. I wasn't asking for help; I wasn't
getting anything out of this for myself. I was telling people about a
valuable service that could save them 50 or 325 dollars, and still
allow them access to their BIOS for free, if they forgot their
password or someone or thing put one on without telling them. If they
recognize the subject line, they don't have to read it more than once,
or even once. I think people would rather get this twice than not at
all.
 
David H. Lipman said:
From: "mm" <[email protected]>

| I think a virus put a BIOS password in my friend's HP Mini 1000
| netbook. I know I didn't do it, and I know it had malware. I've
read
| online several other stories from those who never set a password and
| are still stuck with one.

< snip >

You've been making quite a few posts but it is time for you to realize
that all viruses
are malware but not all malware are viruses. There are but a handful
of true viruses and
dozens of worms but the vast majority are classified as some form of
trojan.

Malware will not password the BIOS. It is an illogical payload. The
malicious actor who
wrote the malware gains no benefit for himself nor a given cause or
objective. It doesn't
help in the malware's self preservation nor can it have an effect on
the OS of the
platform. In fact a BIOS password is OS independent.
Click to expand...

It seems to me that there *would* be a slight advantage to making it
hard for the average victim (user) to access a way to clean boot an
infected machine. Besides, a payload doesn't *have* to be beneficial to
*anyone* (CIH's BIOS corruption for instance).

It's not likely that any specific mobile code malware would do this
considering all of the differences in settings that would be encountered
as it spread. Plus, it is trivial to set it back the way it should be by
dis-validating the checksum via the port access (or removing the
battery) - this usually results in the BIOS routine calling up the CMOS
Setup program for you.

I can envision malware with a targeted payload (specific BIOS being used
by the intended victim) where this could be done, but it would be easily
enough undone so as to make it not worthwhile. It reminds me again of my
appending @autoexec to my uncle's autoexec.bat file, it makes it
difficult to boot, but not insurmountable, to fix.
 
From: "FromTheRafters" <[email protected]>


| It seems to me that there *would* be a slight advantage to making it
| hard for the average victim (user) to access a way to clean boot an
| infected machine. Besides, a payload doesn't *have* to be beneficial to
| *anyone* (CIH's BIOS corruption for instance).

| It's not likely that any specific mobile code malware would do this
| considering all of the differences in settings that would be encountered
| as it spread. Plus, it is trivial to set it back the way it should be by
| dis-validating the checksum via the port access (or removing the
| battery) - this usually results in the BIOS routine calling up the CMOS
| Setup program for you.

| I can envision malware with a targeted payload (specific BIOS being used
| by the intended victim) where this could be done, but it would be easily
| enough undone so as to make it not worthwhile. It reminds me again of my
| appending @autoexec to my uncle's autoexec.bat file, it makes it
| difficult to boot, but not insurmountable, to fix.



Assuming malware did indeed password protect the BIOS entres, are you saying it would be
an advantage to the malware that you couldn't, for example, change the Boot Order ?
 
David H. Lipman said:
From: "FromTheRafters" <[email protected]>



| It seems to me that there *would* be a slight advantage to making it
| hard for the average victim (user) to access a way to clean boot an
| infected machine. Besides, a payload doesn't *have* to be beneficial
to
| *anyone* (CIH's BIOS corruption for instance).

| It's not likely that any specific mobile code malware would do this
| considering all of the differences in settings that would be
encountered
| as it spread. Plus, it is trivial to set it back the way it should
be by
| dis-validating the checksum via the port access (or removing the
| battery) - this usually results in the BIOS routine calling up the
CMOS
| Setup program for you.

| I can envision malware with a targeted payload (specific BIOS being
used
| by the intended victim) where this could be done, but it would be
easily
| enough undone so as to make it not worthwhile. It reminds me again
of my
| appending @autoexec to my uncle's autoexec.bat file, it makes it
| difficult to boot, but not insurmountable, to fix.



Assuming malware did indeed password protect the BIOS entres, are you
saying it would be
an advantage to the malware that you couldn't, for example, change the
Boot Order ?
Click to expand...

It might necessitate needing to slave the drive to a surrogate, if you
cannot boot from floppy, cd, or usb device. This, of course, assumes
that the malware could have changed settings such as the boot order, or
somehow otherwise made the floppy, cd, or usb device unusable for
booting. This just seems like an extension to the disabling of safe-mode
or corruption of restore points.

Not much a of an incentive there for malware writers to bother with it
though, I'll admit.
 
[...]
Yes, I'm sure the malware did it, maybe to keep a user from changing
the boot order so that booting from the USB came first.
Click to expand...

What malware did this?
 
From: "FromTheRafters" <[email protected]>


| It might necessitate needing to slave the drive to a surrogate, if you
| cannot boot from floppy, cd, or usb device. This, of course, assumes
| that the malware could have changed settings such as the boot order, or
| somehow otherwise made the floppy, cd, or usb device unusable for
| booting. This just seems like an extension to the disabling of safe-mode
| or corruption of restore points.

| Not much a of an incentive there for malware writers to bother with it
| though, I'll admit.

No but it is a VALID point. Thank you.
 
From: "Caesar Romano" <[email protected]>

| On Sun, 10 Oct 2010 08:19:49 -0400, "FromTheRafters"

| Good point.

Yes but in that case corruption IS the payload. the CIH (aka; Chernobyl) also deletes
data from the hard disk. It does it on a calendar basis.

While Today the great preponderance is based upon financial incentive, when the CIH was
written it was for bragging rights or just be mischievious.

The objective was to deliberately cause HARM to the affected computer.

Password protecting the BIOS has very little potential even for being mischievious.
 
Caesar Romano said:
Good point.
Click to expand...

CIH delivers a harsh message indeed, but around that time most
self-distributing malware (viruses and worms) were used for delivering
messages from simple text outputted to the screen, to data destruction
(sometimes extortion through cryptovirology). Now, it is all about
stealing computing power and hiding that fact as well as possible, for
as long as possible, so as to maintain that ability (perhaps to send a
bigger message later). They all want to 'do stuff' that is network
related (updating themselves, communicating with other fragments,
sending out user keystroke logs, etc...), which can be detected by
network administrators even though they might be fairly well hidden from
the local user.

Old style viruses didn't have to expend energy to conceal their
activity, they could just lay dormant until their host program was
executed. People today tend to forget that that scenario can still be a
threat - witness Stuxnet (a worm), where it's *really* all about the
payload, not the delivery methods.
 
Dave Cohen said:
[...]

Yes, I'm sure the malware did it, maybe to keep a user from changing
the boot order so that booting from the USB came first.

What malware did this?
Click to expand...
Is that a serious question?
Click to expand...

Yes, if the OP is sure, then there should be more information.
Click to expand...

I wanted to give a longer answer -- well, it came out pretty long
after all -- but in short, I was handed a netbook because it wouldn't
boot, malware was suspected, and just looking around, I checked out
the BIOS and I had no trouble and no need for a password getting into
it.

I checked out the computer with AVG from a flashdrive and it had at
least one virus. It ran again after AVG removed that, but 10 minutes
later, I got one of those screens saying there was a virus, which was
displayed by malware present on the computer, and whether it made
things worse or not, I fell for it and clicked on something, and then
it wouldnt' boot. I used 6 different Boot Rescue anti-virus CD's and
each time I would have to press F9 to get it to boot from the CD.

Once in the dim light with the small print on the F-keys, I missed F9
and hit F10, which goes into the BIOS, and it displayed a simple black
screen with What is your CURRENT password? Guessing didn't work. I
tried F10 a few more times with the same result.

Googling, I found other examples of people who never set a BIOS
password but who go the same message I did.


I never set a password -- there is no reason I would do that, I don't
do that, and there is no way I would forget doing that if I did it.
The password was some strange set of 10 letters and numbers that would
be impossible for me to remember, and whenever I do set a password,
which is only when an ISP or a website requires one, I use one that is
easy to remember.

No password was required 3 or 4 days earlier, I was the only one who
touched the computer during all that time, and it was required 3 or 4
days after it wasn't. I conclude with a very high level of confidence
that the malware changed things and made the password required.


If malware can do all the other things it does, entering a number in
the password storage area doesn't seem much harder.

After 3 failed attempts to enter a password, most computer brands will
display a number, a hash number, which it turns out is directly
related to the password, and this HP did that. The programs at the web
page I gave decoded the hash number, and it worked the first time.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

The rest of the computer is working fine now too.
 
mm said:
Dave Cohen said:
On 10/10/2010 10:09 AM, FromTheRafters wrote:

[...]

Yes, I'm sure the malware did it, maybe to keep a user from
changing
the boot order so that booting from the USB came first.

What malware did this?


Is that a serious question?
Click to expand...

Yes, if the OP is sure, then there should be more information.
Click to expand...

I wanted to give a longer answer -- well, it came out pretty long
after all -- but in short, I was handed a netbook because it wouldn't
boot, malware was suspected, and just looking around, I checked out
the BIOS and I had no trouble and no need for a password getting into
it.

I checked out the computer with AVG from a flashdrive and it had at
least one virus. It ran again after AVG removed that, but 10 minutes
later, I got one of those screens saying there was a virus, which was
displayed by malware present on the computer, and whether it made
things worse or not, I fell for it and clicked on something, and then
it wouldnt' boot. I used 6 different Boot Rescue anti-virus CD's and
each time I would have to press F9 to get it to boot from the CD.

Once in the dim light with the small print on the F-keys, I missed F9
and hit F10, which goes into the BIOS, and it displayed a simple black
screen with What is your CURRENT password? Guessing didn't work. I
tried F10 a few more times with the same result.
Click to expand...

It is possible that *this* was the problem.

....and it's CMOS not BIOS ... if your BIOS is passworded, you can't
boot.
Googling, I found other examples of people who never set a BIOS
password but who go the same message I did.
Click to expand...

....and they probably all screamed "virus" even though it might have been
simple corruption or a weak CMOS battery.
I never set a password -- there is no reason I would do that, I don't
do that, and there is no way I would forget doing that if I did it.
Click to expand...
The password was some strange set of 10 letters and numbers that would
be impossible for me to remember, and whenever I do set a password,
which is only when an ISP or a website requires one, I use one that is
easy to remember.
Click to expand...

When a password recovery program gives you a password that works, it
doesn't necessarily mean that it is *the* password entered by the user.
Generally, it is an *equivalent* password arrived at by running an
algorithm against the password hash value.

This means that when you set it to "Fluffy", another *equivalent*
password might be æas¶o½¿
No password was required 3 or 4 days earlier, I was the only one who
touched the computer during all that time, and it was required 3 or 4
days after it wasn't. I conclude with a very high level of confidence
that the malware changed things and made the password required.
Okay.

If malware can do all the other things it does, entering a number in
the password storage area doesn't seem much harder.
Click to expand...

No, in fact it would be easy enough. It's just that nobody seems to be
aware of any malware programs that do so. Probably because it would be
viewed as a waste of effort for so little gain by the malware writers.
After 3 failed attempts to enter a password, most computer brands will
display a number, a hash number, which it turns out is directly
related to the password,
Click to expand...

Hashes are usually compression algorithms, a smaller representation of
data that is *nearly* as unique as the data it represents. IOW the hash
is directly related to the password, but it may be directly related to
other possible passwords as well.
and this HP did that. The programs at the web
page I gave decoded the hash number, and it worked the first time.

http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

The rest of the computer is working fine now too.
Click to expand...

What hash value do you get when the password is blank, and you try the
wrong password three times?

Just curious,
 
Back
Top