E2) Can a virus hide in a PC's CMOS memory?
No. The CMOS RAM in which PC system information is stored and backed up
by batteries is accessible through the I/O ports and not directly
addressable. That is, in order to read its contents you have to use I/O
instructions rather than standard memory addressing techniques.
Therefore, anything stored in CMOS is not directly "in memory". Nothing
in a normal machine loads the data from CMOS and executes it, so a virus
that "hid" in CMOS RAM would still have to infect an executable object
of some kind in order to load and execute whatever had been written to
CMOS. A malicious virus can of course *alter* values in the CMOS as
part of its payload, but it can't spread through, or hide itself in, the
Further, most PCs have only 64 bytes of CMOS RAM and the use of the
first 48 bytes of this is predetermined by the IBM AT specification.
Several BIOS'es also use many of the "extra" bytes of CMOS to hold their
own, machine-specific settings. This means that anything that a virus
stores in CMOS can't be very large. A virus could use some of the
"surplus" CMOS RAM to hide a small part of its body (e.g. its payload,
counters, etc). Any executable code stored there, however, must first
be extracted to ordinary memory in order to be executed.
This issue should not be confused with whether a virus can *modify* the
contents of a PC's CMOS RAM. Of course viruses can, as this memory is
not specially protected (on normal PCs), so any program that knows how
to change CMOS contents can do so. Some viruses do fiddle with the
contents of CMOS RAM (mostly with ill-intent) and these have often been
incorrectly reported as "infecting CMOS" or "hiding in CMOS". An
example is the PC boot sector virus EXE_Bug, which changes CMOS settings
to indicate that no floppy drives are present