Virus Spyware CMOS Issues

Virus Spyware CMOS Issues
Page content

What is CMOS?

A CMOS RAM (complementary metal-oxide-semiconductor) is a type of memory that stores the boot settings of the computer including the system clock. A BIOS ROM (basic input/output system) is a firmware that reads the CMOS contents to know the devices that need to be controlled. The BIOS ROM contains the instruction to load the operating system and the default settings of the motherboard while the CMOS RAM contains the custom settings that will override the BIOS ROM.

The CMOS virus infection is somehow the same with a BIOS flash update gone wrong. This type of virus was prevalent during the time that firmware updates or BIOS flashing from the operating system environment was a new feature for motherboards. This enables the motherboard to be updated by users having hardware incompatibility issues. Today, motherboard manufacturers and OS companies have provided features and restrictions that protect or prevent flashing the BIOS directly from third party applications.

The CMOS spyware, however, does not modify the BIOS. It instead just uses the CMOS word to name its file or folders. As a spyware, it has the capability to steal information from MSN messenger accounts. It sends the gathered information to a remote computer where it also downloads additional files as its way to update itself. If you are confused with the virus and spyware terminologies you can read this article to know the difference.

Fixing CMOS Error

During boot up, the BIOS computes the checksum of the CMOS RAM. The checksum verifies if the settings have changed since the last boot up. If the settings do not match it prompts an error. Usually, a CMOS error occurs because of a faulty CMOS battery that needs a replacement or a new hardware have been added.

Replacing the CMOS battery requires you to open the CPU casing and following this Bright Hub tutorial. For new hardware, just follow the displayed message prompt during the boot up process.

Fixing BIOS Infection

The widely known virus to have infected the BIOS is the CIH aka Chernobyl virus. Fortunately, it only worked on certain 486 motherboards with Intel chipsets. Fixing a BIOS damaged by CIH requires the BIOS to be removed and reprogrammed using specialized hardware. There are reprogramming services that repair the BIOS for under $30. If your motherboard is worth less than $30 then I would suggest buying a new motherboard.

Having a damaged BIOS code does not mean the end of the important data stored in the hard disk. The hard disk can have its data recovered. The Gibson Research Corporation has a tool to fix CIH infected computers that can restore the hard disk drive completely. There are also hard drive recovery tools that are not specific to CIH infection.

Fixing CMOS Spyware

The cmos spyware which we will remove is known by Microsoft as TrojanDownloader:Win32/Banload.

It arrives via email with the following content:

Clicking on the link will allow you to download the file foto26.com which will have the following icon when renamed to EXE extension name:

Spyware Icon

In order to remove this spyware, follow the steps below.

The files dropped by CMOS Spyware, notice the icon depicting a CMOS chip

Delete the cmos folder in drive C that has the following files:

  • c:\cmos\xlr.exe
  • c:\cmos\xlr2.exe
  • c:\cmos\xln.cpl
  • c:\cmos\xlb.cpl

Delete their registry entries xln, xlr, xlb and xlr2 that are located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run