It runs from the moment we turn on the PC and sticks to the BIOS: it is a very sophisticated malware.
The cybersecurity company Kaspersky detected for the second time a new strain of virus that won’t go away even when reinstalling Windows: “MosaicRegressor” is installed in the BIOS (UEFA), that is, the software that computers use to start and run basic services in order to turn on the PC.
This means, among other things, that it is not enough to do a complete reset of the operating system (a clean install, uninstall and reinstall), an operation that generally resolves any infection due to the fact that it deletes everything from the storage unit where we have Windows installed.
And also that, even changing hard disk, MosaiRegressor does not go away, to remain in this kind of mothership that is the BIOS, from which the boot is executed.
The hoax runs through a file called “IntelUpdate.exe” that is, it is disguised as a firmware update (the program that supports the PC’s electronic circuits).
At a technical level, it is a “rootkit”(A program that gives administrator access after corrupting security barriers) that have a very high resistance to traditional removal methods. Basically because it runs before the operating system and your antivirus start.
The biggest problem is how to get it out: it’s really very difficult. And this because it is not at all common for a virus to install itself in the BIOS: generally, they are installed in the operating system (Windows) and that is why the solution to remove a virus is usually to use a security program (Norton, Avira , McAffe, AVG, for example) or, in the worst case, erase the entire disk and reinstall windows.
The malware (malicious program) was named by Kaspersky MosaicRegressor and was discovered during an investigation where they realized that the virus is already circulating: they found it “in nature”, as they said, that is, in non-governmental organizations in Africa, Asia and Europe. And they found connections with Kim Jong-un’s North Korea, Although they did not give details.
“The purpose of this program is to install a malicious .exe file called ‘IntelUpdate.exe’ in the victim’s home folder. Therefore, when Windows starts, the installed modules would ensure that if the malware file is removed from the disk, will be rewritten “, explica Kaspersky.
And for worse, the company ensures that it is not clear how this virus was “spread”: they point almost inevitably to a pen drive, via USB, and that from the first case the dispersion was generated.
However, in the cybersecurity community they warn that this virus is not common: they simply point out that Kaspersky’s discovery is worrisome because of the design of this malware, but that it is not yet something that has been shared massively.
Bios means Basic Input/Output System And, as its name explains in English, it is a standard program that all computers bring. There is installed what is called “firmware”, Which handles all the first commands that they run when we press the power button.
They are currently called “UEFI”: Unified Extensible Firmware Interface, a more modern solution to the traditional BIOS, which generally had a more rudimentary look. UEFI works in a more enjoyable environment and even allows the use of mouse.
The key is that the UEFI / BIOS “Lives” on a chip on the motherboard: that’s why it doesn’t disappear when you reinstall Windows. Not even changing the hard drive.
Now, how do you get it out? There has to be a way other than to “throw away” our mother.
“Given the relative insularity of UEFI, even if this malicious file is detected, it is almost impossible to remove. Neither removing it nor reinstalling the operating system helps. The only way to fix the problem is reinstalling the mother’s firmware”, Explains the cybersecurity company.
This means that if we have this virus installed, we have to reset the BIOS of the motherboard, a process that is not complex but requires downloading the drivers of our motherboard in order to “boot” from scratch. And certain security measures to ensure we do not damage our hardware.