The discovery marks a return to the bad old days of the 1990s when BIOS-corrupting malware was relatively common and had the nasty habit of requiring a workshop re-code of the BIOS chip set in order to remediate the problem.
This is because, Infosecurity notes, the BIOS is the bootstrap that allows a computer to boot up from scratch – without a BIOS interface, the computer cannot use conventional hardware-strap techniques to boot from any of its storage devices, or even a back-up USB stick, for example.
According to the H Online newswire, the malware has been dubbed Mebromi by 360 and, when executing, it first checks to see whether the victim's computer uses an Award BIOS.
If this is the case, it uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) in order to infect the winlogon.exe/winnt.exe processes on Windows XP and 2003/Windows 2000 before the Windows kernel boots.
According to the German newswire, the next time Windows launches, the malware downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. This means that, even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted.
And more bad news: Mebromi can also survive a change of hard drive. If the computer doesn't use an Award BIOS, the malware code simply infects the MBR.