Lenovo warns of IBM Storwize shipped with infected initialization USB drives

Pierluigi Paganini April 30, 2017

Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo contain a malicious file.

Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems contain a file that has been infected with malicious code.

The Initialization Tool on the USB flash drive having part number 01AC585 that shipped with the following System models may have the malicious file:

  • IBM Storwize for Lenovo V3500 –  6096 models 02A and 10A
  • IBM Storwize for Lenovo V3700 – 6099 models 12C, 24C and 2DC
  • IBM Storwize for Lenovo V5000 – 6194 models 12C and 24C

IBM Storwize for Lenovo Systems with serial numbers starting with the characters 78D2 are not impacted.

IBM Storwize for Lenovo initialization USB drives contain malware

The news was reported by Lenovo, the IBM Storwize systems are virtualizing RAID computer data storage systems manufactured by IBM.

According to Lenovo, the malicious file does not affect the integrity or performance of the storage systems.

Experts from Lenovo reported that when the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, it copies itself to a temporary folder on the hard drive of the desktop or laptop along with the malicious file.

The Initialization USB flash drive contains a folder called InitTool, the tool and the malware are copied to the following temporary folder:

  • On Windows systems: %TMP%\initTool
  • On Linux and Mac systems: /tmp/initTool

It is important to highlight that the malicious file isn’t executed in this phase.

“Important:  While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system.” states a security advisory published by Lenovo. “The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.”

IBM and Lenovo have adopted necessary measures to prevent any other problem in the supply chain and stopping the shipment of additional USB flash drives.

Lenovo suggests customers don’t use the affected flash drives instead they need to contact the company to receive support for the first configuration of the Storwize systems.

Customers that have already used the initialization USB flash drive from one of the affected products need to verify is their antivirus software has already detected and removed the malicious file.

To manually remove the malicious file, customers can delete the temporary directory:

  • On Windows systems: %TMP%\initTool
  • On Linux and Mac systems: /tmp/initTool

“In addition, for Windows systems, ensure the entire directory is deleted (not moved to the Recycle Bin folder).   This can be accomplished by selecting the directory and Shift->Right-click->Delete the directory.” suggests Lenovo.

Let me close sharing with you the MD5 hash of the malicious file.

 0178a69c43d4c57d401bf9596299ea57

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – IBM Storwize, malware)

[adrotate banner=”13″]



you might also like

leave a comment