IBM has shipped usb flash drives infected with malware code.
The Initialization Tool on the USB flash drive with the partnumber 01AC585 that shipped with the following System models may have an infected file:
IBM Storwize V3500 - 2071 models 02A and 10A
IBM Storwize V3700 - 2072 models 12C, 24C and 2DC
IBM Storwize V5000 - 2077 models 12C and 24C
IBM Storwize V5000 - 2078 models 12C and 24C
IBM Storwize Systems with serial numbers starting with the characters 78D2 are not affected.
Neither the IBM Storwize storage systems nor data stored on these systems are infected by this malicious code.
Systems not listed above and USB flash drives used for Encryption Key management are not affected by this issue.
When the initialization tool is launched from the USB flash drive, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
Important: While the malicious file is copied onto the desktop or laptop, the file is not executed during initialization.
To manually remove the malicious file, delete the temporary directory:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
In addition for Windows systems, ensure the entire directory is deleted (not moved to the Recycle Bin folder). This can be accomplished by selecting the directory and Shift->Right-click->Delete the directory.
Further, for Initialization Tool USB flash drives, including those that have not yet been used for installation, IBM recommends taking one of the following steps:
- Securely destroy the USB flash drive so that it can not be reused.
- Repair the USB flash drive so it can be reused:
- Delete the folder called InitTool on the USB flash drive which will delete the folder and all the files inside.If using a Windows machine, holding down shift when deleting the folder will ensure that the files are permanently deleted rather than being copied to the recycle bin.
- Download the Initialization tool package from FixCentral https://www.ibm.com/support/fixcentral.
- Unzip the package onto the USB flash drive.
- Manually scan the USB flash drive with antivirus software.
Their complete statement is here.
As for their recommendations, I believe they should have inserted an "or" between numbers one and two above.
<Hack>Read> might have phrased it better:
"When it comes to dealing with the infected device, the vendor recommended that users should first update their antivirus and then try to use the USB drive. It is also recommended to not to use the drive again and to destroy it, in order to cease the infection via the USB sticks.
However, for those who do not wish to do so, IBM strongly recommends deletion of the malicious files and to complete reinstall the Storwize initialization package. After that, the users should scan the code with their updated antivirus and hopefully, that should be enough to deal with the malware that’s infecting the drive."
and using the specific removal instructions provided by IBM. The good news is that many antivirals discover it.
According to IBM:
The malicious file has a MD5 hash of 0178a69c43d4c57d401bf9596299ea57.
The malicious file is detected by the following antivirus vendors:
| Engine |
Signature |
Version |
Update |
| AhnLab-V3 |
Win32/Pondre |
3.8.3.16811 |
20170330 |
| ESET-NOD32 |
Win32/TrojanDropper.Agent.PYF |
15180 |
20170331 |
| Kaspersky |
Trojan.Win32.Reconyc.hvow |
15.0.1.13 |
20170331 |
| McAfee |
PWSZbot-FIB!0178A69C43D4 |
6.0.6.653 |
20170331 |
| McAfee-GW-Edition |
PWSZbot-FIB!0178A69C43D4 |
v2015 |
20170331 |
| Microsoft |
VirTool:Win32/Injector.EG |
1.1.13601.0 |
20170331 |
| Qihoo-360 |
Virus.Win32.WdExt.A |
1.0.0.1120 |
20170331 |
| Symantec |
W32.Faedevour!inf |
1.2.1.0 |
20170330 |
| Tencent |
Trojan.Win32.Daws.a |
1.0.0.1 |
20170331 |
| TrendMicro |
PE_WINDEX.A |
9.740.0.1012 |
20170331 |
| TrendMicro-HouseCall |
PE_WINDEX.A |
9.900.0.1004 |
20170331 |
| ZoneAlarm |
Trojan.Win32.Reconyc.hvow |
1 |
20170331 |
As to where this infection came from? According to <Hac>Read>, North Korea:
"Security company Trend Micro’s antivirus detected the malware as PE.WINDEX.A and claimed that it was served up by one of the North Korean websites. Other vendors have also been able to detect this malware, but they classified it as a Trojan that would attempt downloading other malware if executed." - <Hac>Read>
Sources:
https://www.hackread.com/ibm-sent-off-usb-sticks-infected-malware/
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E