IBM Storwize for Lenovo initialization USB drives contain malware
IBM Storwize for Lenovo initialization USB drives contain malware
IBM Storwize for Lenovo initialization USB drives contain malware
Lenovo Security Advisory: LEN-14957
Potential Impact: Malware infection on system used to launch initialization tool
Severity: Medium
Summary Description:
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems.
When the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
Important: While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system. The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.
The affected Initialization USB flash drive looks like the images below, and contains a folder called InitTool.
IBM and Lenovo have taken steps to prevent any additional USB flash drives being shipped with this issue.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo recommends customers destroy affected flash drives. The drives are only used for initial set up of the Storwize system, so if you have not yet configured Storwize, Lenovo recommends you contact Lenovo support for a replacement or follow the steps below to re-format the drive.
If you have used the initialization USB flash drive from one of the products listed above and have inserted it into a computer to initialize a Storwize system, Lenovo recommends you verify your antivirus software has already removed the infected file or alternatively remove the directory containing the identified malicious file in the manner described below.
Lenovo recommends ensuring your antivirus products are updated, configured to scan temporary directories, and that issues identified by the antivirus product are addressed.
To manually remove the malicious file, delete the temporary directory:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
In addition, for Windows systems, ensure the entire directory is deleted (not moved to the Recycle Bin folder). This can be accomplished by selecting the directory and Shift->Right-click->Delete the directory.
Further, for Initialization Tool USB flash drives, including those that have not yet been used for installation, Lenovo recommends taking one of the following steps:
- Securely destroy the USB flash drive so that it cannot be reused and contact Lenovo support to have a new USB drive shipped to you.
- Repair the USB flash drive so it can be reused:
- Delete the folder called InitTool on the USB flash drive which will delete the folder and all the files inside.
If using a Windows machine, holding down shift when deleting the folder will ensure that the files are permanently deleted rather than being copied to the recycle bin. - Download the Initialization tool package from Lenovo Support https://datacentersupport.lenovo.com/
- Unzip the package onto the USB flash drive.
- Manually scan the USB flash drive with antivirus software.
- Delete the folder called InitTool on the USB flash drive which will delete the folder and all the files inside.
Product Impact:
The Initialization Tool on the USB flash drive with the part number 01AC585 that shipped with the following System models may have an infected file:
- IBM Storwize for Lenovo V3500 - 6096 models 02A and 10A
- IBM Storwize for Lenovo V3700 - 6099 models 12C, 24C and 2DC
- IBM Storwize for Lenovo V5000 - 6194 models 12C and 24C
IBM Storwize for Lenovo Systems with serial numbers starting with the characters 78D2 are not affected.
Neither the IBM Storwize for Lenovo storage systems, nor data stored on these systems are infected by this malicious code.
Systems not listed above and USB flash drives used for Encryption Key management are not affected by this issue.
Other information and references:
The malicious file has a MD5 hash of 0178a69c43d4c57d401bf9596299ea57.
The malicious file is detected by the following antivirus vendors:
Engine |
Signature |
Version |
Update |
AhnLab-V3 |
Win32/Pondre |
3.8.3.16811 |
20170330 |
ESET-NOD32 |
Win32/TrojanDropper.Agent.PYF |
15180 |
20170331 |
Kaspersky |
Trojan.Win32.Reconyc.hvow |
15.0.1.13 |
20170331 |
McAfee |
PWSZbot-FIB!0178A69C43D4 |
6.0.6.653 |
20170331 |
McAfee-GW-Edition |
PWSZbot-FIB!0178A69C43D4 |
v2015 |
20170331 |
Microsoft |
VirTool:Win32/Injector.EG |
1.1.13601.0 |
20170331 |
Qihoo-360 |
Virus.Win32.WdExt.A |
1.0.0.1120 |
20170331 |
Symantec |
W32.Faedevour!inf |
1.2.1.0 |
20170330 |
Tencent |
Trojan.Win32.Daws.a |
1.0.0.1 |
20170331 |
TrendMicro |
PE_WINDEX.A |
9.740.0.1012 |
20170331 |
TrendMicro-HouseCall |
PE_WINDEX.A |
9.900.0.1004 |
20170331 |
ZoneAlarm |
Trojan.Win32.Reconyc.hvow |
1 |
20170331 |
IBM Flash Notice to customers: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E
For a complete list of all Lenovo Product Security Advisories, click here.
Revision History:
Revision |
Date |
Description |
1 |
04/27/2017 |
Initial Release |
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Uw feedback helpt om de algehele ervaring te verbeteren