What are you looking for ?
Infinidat
Articles_top

IBM Shipped Trojanized USB Keys to Lenovo Storwize Customers

Initialization tool may contain malicious code.

IBM Corp. has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code.

Affected Products
The initialization tool on the USB flash drive with the part number 01AC585 that shipped with the following system models may have an infected file:

  • Storwize V3500 – 2071 models 02A and 10A
  • Storwize V3700 – 2072 models 12C, 24C and 2DC
  • Storwize V5000 – 2077 models 12C and 24C
  • Storwize V5000 – 2078 models 12C and 24C

Storwize systems with serial numbers starting with the characters 78D2 are not affected.

Neither the Storwize storage systems nor data stored on these systems are infected by this malicious code.

Systems not listed above and USB flash drives used for Encryption Key management are not affected by this issue.

Impact Potential
When the initialization tool is launched from the USB flash drive, the tool copies itself to a temporary folder on the HDD of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:

  • On Windows systems: %TMP%\initTool
  • On Linux and Mac systems: /tmp/initTool

While the malicious file is copied onto the desktop or laptop, the file is not executed during initialization.

The affected initialization USB flash drive looks like the images below, and contains a folder called InitTool.

IBM has taken steps to prevent any additional USB flash drives being shipped with this issue.

Client Actions
If you have used the initialization USB flash drive from one of the IBM products listed above and have inserted it into a desktop or laptop to initialize a Storwize system, IBM recommends you verify your antivirus software has already removed the infected file or alternatively remove the directory containing the identified malicious file in the manner described below.

IBM recommends ensuring your antivirus products are updated, configured to scan temporary directories, and issues identified by the antivirus product are addressed.

To manually remove the malicious file, delete the temporary directory:

  • On Windows systems: %TMP%\initTool
  • On Linux and Mac systems: /tmp/initTool

In addition for Windows systems, ensure the entire directory is deleted (not moved to the Recycle Bin folder). This can be accomplished by selecting the directory and Shift->Right-click->Delete the directory.

Further, for initialization tool USB flash drives, including those that have not yet been used for installation, IBM recommends taking one of the following steps:

  • Securely destroy the USB flash drive so that it can not be reused.
  • Repair the USB flash drive so it can be reused.
  • Delete the folder called InitTool on the USB flash drive which will delete the folder and all the files inside. If using a Windows machine, holding down shift when deleting the folder will ensure that the files are permanently deleted rather than being copied to the recycle bin.
  • Download the initialization tool package from FixCentral.
  • Unzip the package onto the USB flash drive.
  • Manually scan the USB flash drive with antivirus software.

Further Information
The malicious file has a MD5 hash of 0178a69c43d4c57d401bf9596299ea57.

Malicious file is detected by following antivirus vendors:

Articles_bottom
AIC
ATTO
OPEN-E