Lenovo USB Sticks: Now With Added Malware

Lenovo has issued a security advisory notifying customers that the initialisation tool shipped on a USB stick for the Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM comes a file that has been infected with malicious code.

The USB flash drive in question is designated as part number 01AC585. It shipped with the following systems:

  • IBM Storwize V3500 - 2071 models 02A and 10A
  • IBM Storwize V3700 - 2072 models 12C, 24C and 2DC
  • IBM Storwize V5000 - 2077 models 12C and 24C
  • IBM Storwize V5000 - 2078 models 12C and 24C

IBM Storwize Systems with serial numbers starting with the characters 78D2 are not affected.

Lenovo says the file in question is copied to a temporary folder on Windows, Mac and Linux systems but requires a user to execute the file for it to have any effect. The file is not used during the initialisation process for the affected products.

The files is copied to %TMP%\initTool on Windows systems and /tmp/initTool for Mac and Linux.

Removing the malware is a matter of deleting the affected folders.


Comments

    Why the fuck do you have anything on your USB sticks ever? Sell them blank. I don't want your shitty software to auto start on them at all.

    Seems like at least once a year Lenovo are busted selling hardware with Malware straight from the factory.

    What the hell is going on in their factory????

Join the discussion!