The cybersecurity company Kaspersky detected for the second time a new strain of virus that won’t go away even when reinstalling Windows: “MosaicRegressor” is installed in the BIOS (UEFI), that is, the software that computers use to start and run the basic services in order to turn on the PC.
This means, among other things, that it is not enough to do a complete reset of the operating system (a clean install, uninstall and reinstall), an operation that usually resolves any infection because it deletes everything from the storage unit where we have Windows installed.
And also that, even changing hard disk, MosaiRegressor does not go away, to remain in this kind of mothership that is the BIOS, from which the boot is executed.
The hoax runs through a file called “IntelUpdate.exe”, that is, it is disguised as a firmware update (the program that supports the PC’s electronic circuits).
At a technical level, it is a “rootkit”(A program that gives administrator access after corrupting security barriers) that have a very high resistance to traditional removal methods. Basically because it runs before the operating system and your antivirus start.
The biggest problem is how to get it out: it’s really very difficult. And this because it is not at all common for a virus to install itself in the BIOS: they are usually installed in the operating system (Windows) and that is why the solution to remove a virus is usually to use a security program (Norton, Avira , McAffe, AVG, for example) or, in the worst case, erase the entire disk and reinstall windows.
The malware (malicious program) was baptized by Kaspersky MosaicRegressor and was discovered during an investigation where they realized that the virus already circulates: they found it “in nature”, as they said, that is, in non-governmental organizations in Africa, Asia and Europe. And they found connections with Kim Jong-un’s North Korea, Although they did not give details.
They affirm that the new virus has ties to North Korea, a regime led by Kim Jong-Un. Photo: Korean Central News Agency.
“The purpose of this program is to install a malicious .exe file called ‘IntelUpdate.exe’ in the victim’s home folder. Therefore, when Windows starts, the installed modules would ensure that if the malware file is removed from the disk, will be rewritten “explains Kaspersky.
And for worse, the company ensures that it is not clear how this virus was “spread”: they point almost inevitably to a pen drive, via USB, and that from the first case the dispersion was generated.
However, in the cybersecurity community they warn that this virus is not common: they simply point out that Kaspersky’s discovery is worrisome because of the design of this malware, but that it is not yet something that has been massively shared.
What is BIOS / UEFI and how to remove MosaicRegressor
The “socket” where the microprocessor goes: different parts of the motherboard. Photo Shutterstock
Bios means Basic Input / Output System And, as its name explains in English, it is a standard program that all computers bring. There is installed what is called “firmware”, Which handles all the first commands that they run when we press the power button.
They are currently called “UEFI”: Unified Extensible Firmware Interface, a more modern solution to the traditional BIOS, which generally had a more rudimentary look. UEFI works in a more enjoyable environment and even allows the use of mouse.
The key is that the UEFI / BIOS “Lives” on a chip on the motherboard, or motherboard: that’s why it doesn’t disappear when you reinstall Windows. Not even changing the hard drive.
Now, how do you get it out? There has to be a way other than to “throw away” our mother.
“Given the relative insularity of UEFI, even if this malicious file is detected, it is almost impossible to remove. Neither removing it nor reinstalling the operating system helps. The only way to fix the problem is reinstalling the mother’s firmware”, Explains the cybersecurity company.
This means that if we have this virus installed, we have to reset the BIOS of the motherboard, a process that is not complex but requires downloading the drivers of our motherboard in order to “boot” from scratch. And certain security measures to ensure we do not damage our hardware.
With information from Kaspersky, PC Gamer and Bleeping Computer