virus from ram?

Joined
Oct 16, 2010
Messages
424
Location
TN
I didn't think it was possible for computer ram to retain programming after the power was removed. I bought a stick of ram off Ebay to put in the OPNSense firewall box I built earlier this year. The firewall has been running great for a few months now. The ram was one 4 GB stick of Nanya DDR3. The computer already had two sticks of 2 GB Nanya.
When I powered up, it hung. Forced it off and connected a monitor and keyboard. Powered up and its acting strange, very slow to post and when it gets to the OPNSense boot screen it freezes.
I thought it was bad/incompatable ram and pulled the "new" stick out. Powered up again and I see this:


china.jpg



Here's the Googel translation:


china2.jpg



This screen would come up at every boot, before the hard drive began to boot. As if I were flashing the Bios. But the new ram was no longer in the computer. I removed the CMOS battery and unplugged the power cord for a few minutes. When I power up after that, the computer booted normally.

So, what's going on here?
 
run antivirus?

see if the stick has any extra chips on there that could be rom, flash or fram that doesn not erase when power is removed. in addition it is DRAM so it needs to be refreshed every so often or it gets deleted.

you re correct that when the ram is remove from power it gets cleared.

of course it could just be a coincidense, i dont imagine a virus would run for months before starting.

have you decoded the chinese to see what it is asking? might be a real message andyou just got excited.
 
I don't know if you can run an antivirus on BSD. I'll have to search that out.
The second picture in the first post is the translation. The ram looks normal, as far as I can see.
 
Partially bad stick of RAM. Caused Chinese to be the display language, and some unusual boot sequence.
(Google Translate is great for that.)
 
I also vote bad ram. Never heard of it corrupting bios, but I guess whatever it does with "reserved ram" it now seems possible based solely on your experience.
 
RAM can hold data between power cycle no more than maybe 1ms. That's some old stuff you have on your drive / OS unrelated to RAM.

NANYA is a Taiwanese FAB, they are legit.
 
I just googled it, it seems like this is some sort of Chinese cloning / imaging software that is used to clone / image drives.

Where did you get this computer from? Did you boot into a different partition / boot loader / etc either with a new bios / UEFI setting or stuff like that? This is probably on your system since you bought it (grey market refurb from China?) and your new RAM isn't installed right or defective, so it is not booting well and try to fall back to something?
 
I just googled it, it seems like this is some sort of Chinese cloning / imaging software that is used to clone / image drives.

Where did you get this computer from? Did you boot into a different partition / boot loader / etc either with a new bios / UEFI setting or stuff like that? This is probably on your system since you bought it (grey market refurb from China?) and your new RAM isn't installed right or defective, so it is not booting well and try to fall back to something?
The computer came from Goodwill. It is a Dell Optiplex 790, small form factor. I flashed the bios with the latest version from the Dell website before I did anything with the computer. I also removed the spinning disk hard drive and installed a SSD drive that I bought several years ago. I don't remember where I bought the SSD but it was new. The SSD was formatted and opnsense installed.
 
I installed the Ebay ram in the computer I am typing this on, a Dell XPS 8700. Nothing unusual on boot up.
 
You did say firewall box. Is there any chance it was compromised BEFORE you took the outage to add the additional RAM?
I suspect either a coincidence and/or the RAM was mis-seated and caused your BIOS values to corrupt or change the BIOS values.

In hindsight, maybe a sanity power-cycle before you make changes to see if the system is good before making changes. I.E. power it down and back on to make sure it POSTs/Boots before making any changes. That way you know you are starting in a good state and the last change changed more than expected.
 
OP, your problem could be that you're using both 2GB and a 4GB RAM stix. I'm not sure if computers like that. I think all stix have to have the same capacity.
 
You did say firewall box. Is there any chance it was compromised BEFORE you took the outage to add the additional RAM?
I suspect either a coincidence and/or the RAM was mis-seated and caused your BIOS values to corrupt or change the BIOS values.

In hindsight, maybe a sanity power-cycle before you make changes to see if the system is good before making changes. I.E. power it down and back on to make sure it POSTs/Boots before making any changes. That way you know you are starting in a good state and the last change changed more than expected.
It would have been a good idea (as you said) to shut the computer down and connect a monitor and keyboard.

I believe what happened was, when it booted up and detected the additional ram the computer saw the change and needed a confirmation. When it didn't initially get this confirmation (because I didn't connect a monitor/keyboard) it developed a problem and ran some type of setup program. I don't know why it was in Chinese.

Once the monitor/keyboard was connected I could enter the bios and confirm the ram was detected correctly. Exit bios, got a normal startup with the total ram displayed correctly in the operating system.
 
Glad you got it figured out. What are you using for a NIC ?

4gb probably would have been fine for your OPNSense install. I don't think I have ever seen mine reach that level of memory usage.
 
It would have been a good idea (as you said) to shut the computer down and connect a monitor and keyboard.

I believe what happened was, when it booted up and detected the additional ram the computer saw the change and needed a confirmation. When it didn't initially get this confirmation (because I didn't connect a monitor/keyboard) it developed a problem and ran some type of setup program. I don't know why it was in Chinese.

Once the monitor/keyboard was connected I could enter the bios and confirm the ram was detected correctly. Exit bios, got a normal startup with the total ram displayed correctly in the operating system.
Maybe the original system was sold to China new, then after retirement from the fleet it was moved here and donated as a refurb. The refurb imaging software they use is this Chinese one, that if they found boot mismatch it prompt for you to act and if not it will boot into this imaging program.

The computer came from Goodwill. It is a Dell Optiplex 790, small form factor. I flashed the bios with the latest version from the Dell website before I did anything with the computer. I also removed the spinning disk hard drive and installed a SSD drive that I bought several years ago. I don't remember where I bought the SSD but it was new. The SSD was formatted and opnsense installed.
When you "install" OPNSense how did you prepare the SSD? Did you partition it from blank or did you clone it from something / somewhere else that has this "Enhancer card v2.20 for Dell" included?
 
When you "install" OPNSense how did you prepare the SSD? Did you partition it from blank or did you clone it from something / somewhere else that has this "Enhancer card v2.20 for Dell" included?
I went to opnsense.org/download and saved the installation file to a flash drive. Then booted the flash drive on the Optiplex. The hard drive was one I bought new several years ago. It was formatted zfs file system and the firewall then installed. The drive had a linux install on before the format. I think, it's been quite a while since I had used that drive.
Glad you got it figured out. What are you using for a NIC ?

4gb probably would have been fine for your OPNSense install. I don't think I have ever seen mine reach that level of memory usage.
I bought a HP NIC card dual port with intel chip. The optiplex had an onboard ethernet port also. So, I have WAN, LAN and IOT. IOT has four VLAN's.
Yes, 4 GB was working fine. But I want to try the intrusion detection software, so I wanted to increase the ram for that.
 

I did some reading and found these links. What they said is basically, it is either HP / Dell's secondary ROM image from factory for enterprise management or some 3rd party enterprise management ROM. It is some sort of "optional ROM" installed and boot from to keep inventory controlled. The other link I saw is that it is some sort of a update deployment software that will do incremental update instead of completely overwrite update on the machine, and thus reduce server and network workload.

There's probably way to disable it, but not sure if you bought the computer with the key or not. The company who developed this back in the days already went out of business. If you go into Bios / UEFI there should be a way to disable this "optional rom" thing and just boot normally. It is not a virus, but likely found that someone altered the config and warn you about it if it is locked (to prevent people from stealing stuff at work).

It is not a virus you got from a stick of ram. Your PC is definitely something that used to be an "office PC" in China.
 
Back
Top