IBM and Lenovo supplied USB sticks with malware to Storwize customers

IBM and Lenovo warn customers that USB sticks have been delivered that contain malware. These are USB sticks for the installation of IBM Storwize systems. Although the malware is copied to the computer, according to the manufacturers, it is not executed.

The malware was discovered by Kaspersky in 2015 and is referred to as Trojan.Win32.Recoync. At the time, the malware was mainly active in Russia and is able to make changes to the registry, modify files and install other malware.

When users use the USB sticks sent by IBM and Lenovo to initialize their Storwize device, the tool is copied to the local disk. On Windows systems, the malware resides in the %TMP%initTool folder, and on Linux and Mac systems, it is /tmp/initTool.

According to the companies, the malware is only copied, but not executed. Only if a user were to run it manually would the malware become active. The infected file does not affect the operation of the Storwize systems according to IBM and Lenovo.

It is not clear how the malware ended up on the USB sticks. IBM and Lenovo do not explain this in their announcements. Both companies sent the same USB sticks, which can be recognized by the part number 01AC585. The sticks are intended for initialization of the IBM Storwize V3500, V3700 and V5000. Those are professional NAS devices.

Several antivirus packages recognize the malware. IBM has compiled a list of packages that identify the malware and how they identify the malware. The manufacturers advise users to delete the folder and destroy the USB stick or delete the data from it as well. The manufacturers say they have taken measures so that new USB sticks no longer contain the malware.

Overview of antivirus programs and how they indicate the malware on the USB sticks