{
	"id": "3c406d06-1a6b-4361-bf53-f5acec5b90d6",
	"created_at": "2026-04-06T01:32:39.913295Z",
	"updated_at": "2026-04-10T03:20:56.650516Z",
	"deleted_at": null,
	"sha1_hash": "d1176f26a9b6dbd47f2ec3566bb6b70082b92865",
	"title": "Mebromi BIOS rootkit affecting Award BIOS (aka \"BMW\" virus)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97907,
	"plain_text": "Mebromi BIOS rootkit affecting Award BIOS (aka \"BMW\" virus)\r\nArchived: 2026-04-06 00:52:45 UTC\r\nMebromi BIOS rootkit affecting Award BIOS (aka \"BMW\" virus)\r\n On September 13, 2011, Marco Giuliani from Webroot posted a detailed\r\nanalysis of Mebromi - BIOS rootkit affecting Chinese computers with AWARD BIOS, which was earlier\r\ndiscovered by Qihoo 360. As noted by cfans from bbs.kafan.cn and kerne1_madman from\r\nhi.baidu.com/kerne1_madman, the infection starts with a binary with MD5\r\n1AA4C64363B68622C9426CE96C4186F2 that downloads the actual dropper MD5\r\nBB5511A6586BA04335712E6C65E83671. While looking for the samples, I found one domain referenced on\r\nCleanMX on 2011-08-31 that was used for distribution of the downloader with binary called qvodffs.exe\r\nMD5 1AA4C64363B68622C9426CE96C4186F2  hxxp://av.88ss.info/qvodffs.exe.  In other cases it was called\r\n123.exe (noted by Prevx  -seen on Aug 29, 2011 )\r\nExploit information and analysis links\r\n360发布“BMW病毒”技术分析报告 - 360.cn\r\nhttp://bbs.kafan.cn \r\n“BMW”我终于逮到你了！ http://hi.baidu.com/kerne1_madman\r\nMebromi: the first BIOS rootkit in the wild - Webroot.com\r\nMalware burrows deep into computer BIOS to escape AV http://www.theregister.co.uk\r\nBIOS Threat is Showing up Again! Symantec.com\r\nhttp://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697\r\n http://www.threatexpert.com/report.aspx?md5=1aa4c64363b68622c9426ce96c4186f2\r\n   General File Information\r\nDownloader: 123.exe\r\nMD5:  1AA4C64363B68622C9426CE96C4186F2\r\nFile Type: exe\r\nInfection Vector: Malicious link\r\nhttp://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html\r\nPage 1 of 4\n\nDropper: b.exe\r\nMD5:  BB5511A6586BA04335712E6C65E83671\r\nFile Type: exe\r\nInfection Vector: downloaded  by other malicious binaries\r\nDownload\r\nAutomated Scans\r\n123\r\nSubmission date:\r\n2011-09-18 11:41:03 (UTC)\r\nResult:\r\n38 /44 (86.4%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=7936deb5e6a236e8dce91352d0617e3db3bbe0fbaeba5fb08bbeac7590338c4d-1316346063\r\nAntivirus     Version     Last Update     Result\r\nAhnLab-V3     2011.09.17.00     2011.09.17     Dropper/Rootkit.89600\r\nAntiVir     7.11.14.223     2011.09.16     EXP/Shellcode.bak.2\r\nAntiy-AVL     2.0.3.7     2011.09.18     Backdoor/Win32.Agent.gen\r\nAvast5     5.0.677.0     2011.09.18     Win32:Qmgr-C [Trj]\r\nAVG     10.0.0.1190     2011.09.18     Small.CSX\r\nBitDefender     7.2     2011.09.18     Trojan.Generic.KDV.360525\r\nCAT-QuickHeal     11.00     2011.09.18     Backdoor.Agent.bote\r\nClamAV     0.97.0.0     2011.09.18     Trojan.Agent-124036\r\nCommtouch     5.3.2.6     2011.09.17     W32/Agent.JH.gen!Eldorado\r\nComodo     10156     2011.09.18     TrojWare.Win32.Trojan.Agent.Gen\r\nDrWeb     5.0.2.03300     2011.09.18     BackDoor.Siggen.34341\r\nEmsisoft     5.1.0.11     2011.09.18     Trojan-Dropper.Agent!IK\r\neSafe     7.0.17.0     2011.09.15     Win32.Agent\r\neTrust-Vet     36.1.8566     2011.09.17     Win32/Agent.BIU\r\nF-Prot     4.6.2.117     2011.09.17     W32/Agent.JH.gen!Eldorado\r\nF-Secure     9.0.16440.0     2011.09.18     Backdoor:W32/Agent.DQJS\r\nFortinet     4.3.370.0     2011.09.18     W32/Agent.BOTE!tr.bdr\r\nGData     22     2011.09.18     Trojan.Generic.KDV.360525\r\nhttp://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html\r\nPage 2 of 4\n\nIkarus     T3.1.1.107.0     2011.09.18     Trojan-Dropper.Agent\r\nJiangmin     13.0.900     2011.09.17     Backdoor/Agent.dfpb\r\nK7AntiVirus     9.113.5150     2011.09.17     Riskware\r\nKaspersky     9.0.0.837     2011.09.18     Backdoor.Win32.Agent.bote\r\nMcAfee     5.400.0.1158     2011.09.18     Artemis!1AA4C64363B6\r\nMcAfee-GW-Edition     2010.1D     2011.09.17     Artemis!1AA4C64363B6\r\nMicrosoft     1.7604     2011.09.18     Exploit:Win32/ShellCode.gen!B\r\nNOD32     6472     2011.09.18     Win32/Wapomi.AO\r\nNorman     6.07.11     2011.09.17     W32/Suspicious_Gen2.PORRF\r\nnProtect     2011-09-18.01     2011.09.18     Backdoor/W32.Agent.89600.AA\r\nPanda     10.0.3.5     2011.09.18     Trj/CI.A\r\nPCTools     8.0.0.5     2011.09.18     Malware.Wapomi\r\nPrevx     3.0     2011.09.18     High Risk Cloaked Malware\r\nRising     23.75.04.02     2011.09.16     Trojan.Win32.Generic.128D4656\r\nSymantec     20111.2.0.82     2011.09.18     W32.Wapomi!gen1\r\nTheHacker     6.7.0.1.298     2011.09.17     Backdoor/Agent.bote\r\nVBA32     3.12.16.4     2011.09.16     Backdoor.Agent.bote\r\nVIPRE     10510     2011.09.18     Trojan.Win32.Generic!BT\r\nViRobot     2011.9.17.4674     2011.09.18     Backdoor.Win32.S.Agent.89600.I\r\nMD5   : 1aa4c64363b68622c9426ce96c4186f2\r\nsmona131633734653699080937\r\n2011-09-18 09:21:19 (UTC)\r\nResult:38 /44 (86.4%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=8802ad7f2d267b754afef8fd81fe8e5f0ecc13e7f69b82e89e980922d94291ba-1316337679\r\nAhnLab-V3     2011.09.17.00     2011.09.17     Win-Trojan/Mybios.130048\r\nAntiVir     7.11.14.223     2011.09.16     TR/Dropper.Gen\r\nAntiy-AVL     2.0.3.7     2011.09.18     Trojan/Win32.Mybios.gen\r\nAvast5     5.0.677.0     2011.09.17     Win32:SuspBehav-C [Heur]\r\nAVG     10.0.0.1190     2011.09.17     Dropper.Generic4.SZO\r\nBitDefender     7.2     2011.09.18     Trojan.Generic.KDV.328903\r\nByteHero     1.0.0.1     2011.09.13     Trojan.Win32.Heur.Gen\r\nCAT-QuickHeal     11.00     2011.09.16     Rootkit.Mybios.a\r\nClamAV     0.97.0.0     2011.09.18     Trojan.MyBios\r\nComodo     10153     2011.09.18     Heur.Suspicious\r\nDrWeb     5.0.2.03300     2011.09.18     Trojan.Bioskit.1\r\nEmsisoft     5.1.0.11     2011.09.18     Rootkit.Win32.Mybios!IK\r\neSafe     7.0.17.0     2011.09.15     Win32.TRDropper\r\neTrust-Vet     36.1.8566     2011.09.17     Win32/Rootkit.KM\r\nF-Prot     4.6.2.117     2011.09.17     -\r\nF-Secure     9.0.16440.0     2011.09.18     Trojan:W32/MyBios.A\r\nFortinet     4.3.370.0     2011.09.18     W32/Mybios.A!tr.rkit\r\nhttp://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html\r\nPage 3 of 4\n\nGData     22     2011.09.18     Trojan.Generic.KDV.328903\r\nIkarus     T3.1.1.107.0     2011.09.18     Rootkit.Win32.Mybios\r\nJiangmin     13.0.900     2011.09.17     Rootkit.Mybios.b\r\nK7AntiVirus     9.113.5150     2011.09.17     Trojan\r\nKaspersky     9.0.0.837     2011.09.18     Rootkit.Win32.Mybios.a\r\nMcAfee     5.400.0.1158     2011.09.18     Boiskit.a\r\nMcAfee-GW-Edition     2010.1D     2011.09.17     Heuristic.LooksLike.Heuristic.BehavesLike.Win32.Tr\r\nojan.B\r\nMicrosoft     1.7604     2011.09.18     TrojanDropper:Win32/Wador.A\r\nNOD32     6472     2011.09.18     Win32/TrojanDropper.RootDrop.AB\r\nNorman     6.07.11     2011.09.17     W32/Mebromi.A\r\nnProtect     2011-09-18.01     2011.09.18     Trojan/W32.Agent.130048.IS\r\nPanda     10.0.3.5     2011.09.18     Trj/CI.A\r\nPCTools     8.0.0.5     2011.09.18     Trojan.Mebromi\r\nRising     23.75.04.02     2011.09.16     Trojan.Win32.Generic.1294136C\r\nSymantec     20111.2.0.82     2011.09.18     Trojan.Mebromi\r\nTheHacker     6.7.0.1.298     2011.09.17     Trojan/Mybios.a\r\nTrendMicro     9.500.0.1008     2011.09.18     TROJ_MYBIOS.AB\r\nTrendMicro-HouseCall     9.500.0.1008     2011.09.18     TROJ_MYBIOS.AB\r\nVBA32     3.12.16.4     2011.09.16     Rootkit.Mybios.a\r\nViRobot     2011.9.17.4674     2011.09.18     Spyware.Mybios.RootKit.130048\r\nVirusBuster     14.0.218.0     2011.09.17     Trojan.DR.RootDrop!QdYd6vAKrQU\r\nMD5   : bb5511a6586ba04335712e6c65e83671\r\nSource: http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html\r\nhttp://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html"
	],
	"report_names": [
		"mebromi-bios-rootkit-affecting-award.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439159,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1176f26a9b6dbd47f2ec3566bb6b70082b92865.pdf",
		"text": "https://archive.orkl.eu/d1176f26a9b6dbd47f2ec3566bb6b70082b92865.txt",
		"img": "https://archive.orkl.eu/d1176f26a9b6dbd47f2ec3566bb6b70082b92865.jpg"
	}
}