#93 Virus Disguised as Driver

New
nobody
None
Medium
DP_zSDI_16095.7z
Defect
2016-11-10
2016-10-21
Kal Parker
No

This driver spelled Pci Bus, leads your computer to boot loop in the Windows Repair. You can not recover from it and either have to restore if you made a restore prior to installing this or wipe your computer. This is a virus, and it has been in the SDI for over two weeks. I have posed couple times no one has removed it.
; Copyright (c) Microsoft Corporation. All rights reserved.

[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}
Provider=%MSFT%
PnpLockdown=1
DriverVer=06/21/2006,10.0.14951.1000

[SourceDisksNames]
3426=windows cd

[SourceDisksFiles]
pci.sys = 3426

[DestinationDirs]
DefaultDestDir = 12 ; DIRID_DRIVERS

[ControlFlags]
BasicDriverOk=
ExcludeFromSelect=

[Manufacturer]
%GENDEV_MFG%=GENDEV_SYS,NTamd64

[GENDEV_SYS.NTamd64]
%PNP0A03.DeviceDesc% = PCI_ROOT, PNP0A03 ; ROOT PCI BUS
%PNP0A08.DeviceDesc% = PCI_ROOT, PNP0A08 ; PCI Express Root Complex
%PCI\CC_0604.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604 ; PCI-PCI BRIDGE
%PCI\CC_0604&DT_4.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604&DT_4 ; PCI Express Root Port
%PCI\CC_0604&DT_5.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604&DT_5 ; PCI Express Upstream Switch Port
%PCI\CC_0604&DT_6.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604&DT_6 ; PCI Express Downstream Switch Port
%PCI\CC_0604&DT_7.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604&DT_7 ; PCI Express to PCI(-X) Bridge
%PCI\CC_0604&DT_8.DeviceDesc% = PCI_BRIDGE, PCI\CC_0604&DT_8 ; PCI(-X) to PCI Express Bridge

;**********
; PCI settings used externally by PCI device INFs via Include/Needs.
; See below for more information on usage.
;
%PCI.SettingDesc% = PciIoSpaceNotRequired
%PCI.SettingDesc% = PciSriovSupported
%PCI.SettingDesc% = PciAcsNotRequired
%PCI.SettingDesc% = PciASPMOptIn
%PCI.SettingDesc% = PciASPMOptOut
%PCI.SettingDesc% = PciD3ColdSupported
%PCI.SettingDesc% = PciDoNotUseAcs
%PCI.SettingDesc% = PciEnableAllBridgeInterrupts
%PCI.SettingDesc% = PciAtomicsOptIn
%PCI.SettingDesc% = PciExtraSettleTimeRequired
%PCI.SettingDesc% = PciIgnoreErrorsDuringPLDR

;**********
; Generic PCI Root Bus/PCI-PCI Bridge
[PCI_ROOT]
CopyFiles=PCI_COPYFILES
AddReg = PCI_ROOT_REG

[PCI_COPYFILES]
pci.sys,,,0x100 ;COPYFLG_PROTECTED_WINDOWS_DRIVER_FILE

[PCI_ROOT.Services]
AddService = pci, %SPSVCINST_ASSOCSERVICE%, pci_ServiceInstallSection

[PCI_ROOT.HW]
AddReg = PCI_BRIDGE_HW.AddReg

[PCI_ROOT_REG]
HKR,,ResourcePickerExceptions,0,"IO:HAL,MBRES;MEM:HAL,MBRES"
HKR,,ResourcePickerTags,0,"MBRES"

[PCI_BRIDGE]
CopyFiles=PCI_COPYFILES

[PCI_BRIDGE.Services]
AddService = pci, %SPSVCINST_ASSOCSERVICE%, pci_ServiceInstallSection

[pci_ServiceInstallSection]
DisplayName = %pci_svcdesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_BOOT_START%
ErrorControl = %SERVICE_ERROR_CRITICAL%
ServiceBinary = %12%\pci.sys
LoadOrderGroup = "Boot Bus Extender"
AddReg = pci_ServiceInstallSection_AddReg

[pci_ServiceInstallSection_AddReg]
HKR,,Tag,0x00010001,3

[PCI_BRIDGE.HW]
AddReg = PCI_BRIDGE_HW.AddReg

[PCI_BRIDGE_HW.AddReg]
HKR,,UINumberDescFormat,,%PCISlot%

;**************
; Section for device INFs to include in their DDInstall section, for features
; that are not detectable by just looking at the device hardware.
;
; Example INF usage for PCI-based device:
;
; [PciDevice_Install]
; ...
;
; [PciDevice_Install.HW]
; Include = pci.inf
; Needs = PciIoSpaceNotRequired.HW, PciSriovSupported.HW
; ...
;
; Sections duplicated in machine.inf to maintain compatability with legacy INFs.
;

; IO space not required.
[PciIoSpaceNotRequired]
Needs=PciIoSpaceNotRequired.HW

[PciIoSpaceNotRequired.HW]
AddReg=PciIoSpaceNotRequired.RegHW

[PciIoSpaceNotRequired.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,IoNotRequired,0x10001,1

; SRIOV supported.
[PciSriovSupported]
Needs=PciSriovSupported.HW

[PciSriovSupported.HW]
AddReg=PciSriovSupported.RegHW

[PciSriovSupported.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,SriovSupported,0x10001,1

; ACS not required.
[PciAcsNotRequired]
Needs=PciAcsNotRequired.HW

[PciAcsNotRequired.HW]
AddReg=PciAcsNotRequired.RegHW

[PciAcsNotRequired.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,AcsNotRequired,0x10001,1

; Opt-in to ASPM.
[PciASPMOptIn]
Needs=PciASPMOptIn.HW

[PciASPMOptIn.HW]
AddReg=PciASPMOptIn.RegHW

[PciASPMOptIn.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,ASPMOptIn,0x10001,1

; Opt-out of ASPM.
[PciASPMOptOut]
Needs=PciASPMOptOut.HW

[PciASPMOptOut.HW]
AddReg=PciASPMOptOut.RegHW

[PciASPMOptOut.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,ASPMOptOut,0x10001,1

; D3 cold supported.
[PciD3ColdSupported]
Needs=PciD3ColdSupported.HW

[PciD3ColdSupported.HW]
AddReg=PciD3ColdSupported.RegHW

[PciD3ColdSupported.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,D3ColdSupported,0x10001,1

; Prevents Windows from enabling ACS on the Bridge. Will also prevent
; any feature that requires ACS.
[PciDoNotUseAcs]
Needs=PciDoNotUseAcs.HW

[PciDoNotUseAcs.HW]
AddReg=PciDoNotUseAcs.RegHW

[PciDoNotUseAcs.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,DoNotUseAcs,0x10001,1

; Normally Windows will filter out bridge interrupts that it does not use.
; Set this flag to disable bridge interrupt filtering.
[PciEnableAllBridgeInterrupts]
Needs=PciEnableAllBridgeInterrupts.HW

[PciEnableAllBridgeInterrupts.HW]
AddReg= PciEnableAllBridgeInterrupts.RegHW

[PciEnableAllBridgeInterrupts.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7, EnableAllBridgeInterrupts,0x10001,1

; Opt-in to Atomics.
[PciAtomicsOptIn]
Needs=PciAtomicsOptIn.HW

[PciAtomicsOptIn.HW]
AddReg=PciAtomicsOptIn.RegHW

[PciAtomicsOptIn.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7,AtomicsOptIn,0x10001,1

; Set this flag if a device requires extra
; settle time after D3Cold transitions.
[PciExtraSettleTimeRequired]
Needs=PciExtraSettleTimeRequired.HW

[PciExtraSettleTimeRequired.HW]
AddReg=PciExtraSettleTimeRequired.RegHW

[PciExtraSettleTimeRequired.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7, SettleTimeRequired,0x10001,1

; Set this flag if a device generates
; errors that should be ignored during
; PLDR.
[PciIgnoreErrorsDuringPLDR]
Needs=PciIgnoreErrorsDuringPLDR.HW

[PciIgnoreErrorsDuringPLDR.HW]
AddReg=PciIgnoreErrorsDuringPLDR.RegHW

[PciIgnoreErrorsDuringPLDR.RegHW]
HKR,e5b3b5ac-9725-4f78-963f-03dfb1d828c7, IgnoreErrorsDuringPLDR,0x10001,1

[Strings]
; localizable
MSFT = "Microsoft"

;*******
;device descriptions

GENDEV_MFG = "(Standard system devices)"
pnp0a03.DeviceDesc = "PCI Bus"
pnp0a08.DeviceDesc = "PCI Express Root Complex"
PCI\CC_0604.DeviceDesc = "PCI-to-PCI Bridge"
PCI\CC_0604&DT_4.DeviceDesc = "PCI Express Root Port"
PCI\CC_0604&DT_5.DeviceDesc = "PCI Express Upstream Switch Port"
PCI\CC_0604&DT_6.DeviceDesc = "PCI Express Downstream Switch Port"
PCI\CC_0604&DT_7.DeviceDesc = "PCI Express to PCI/PCI-X Bridge"
PCI\CC_0604&DT_8.DeviceDesc = "PCI/PCI-X to PCI Express Bridge"

;*******
;setting descriptions
PCI.SettingDesc = "PCI Device Setting"

;*******
PCISlot = "PCI Slot %1!u!"

;*******
;service descriptions
pci_svcdesc = "PCI Bus Driver"

;*******
;Non-localizable
SPSVCINST_ASSOCSERVICE = 0x00000002
SERVICE_KERNEL_DRIVER = 1
SERVICE_BOOT_START = 0
SERVICE_DEMAND_START = 3
SERVICE_ERROR_NORMAL = 1
SERVICE_ERROR_CRITICAL = 3
REG_EXPAND_SZ = 0x00020000
REG_DWORD = 0x00010001

1 Attachments

Discussion

  • Edward Sanford Sutton, III

    Does this still occur for you with the newest package (=16104)? It stopped appearing on my Intel machine since having gathered updates the other day and I didn't think I had applied it.
    I still take the stand that a driver that causes unstoppable reboots, though 'likely' not a virus, is still a very serious issue that should get attentionto have it corrected, specially detected/treated for install, or removed/banned from the driver packages. Intel usb3 drivers, and I think a few network drivers from realtek or someone, have special manual handling in SDI as the manufacturer labeled compatibility within the drivers permits it to want to attach to incompatible hardware and cause bluescreens.
    A better classification of 'virus' would be something likely to be detected by antivirus software; virustotal allows uploading files to check against many antivirus products simultaneously. When dealing with virus checks, its all an error-prone game of cat and mouse where virus writers try to tweak their code, compress, and/or encrypt until they get past desired scans and antivirus companies try to find the virus while not seeing legit files as bad and not putting too much load on the system. Antivirus software usually comes back pretty easily from scanning all driver packages while malware scanners usually mess up in the false positive on both drivers and various programs I use.

     
  • Joodleberry

    Joodleberry - 2016-11-10

    In what way do you think this is a virus?

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks