Posted on May 3, 2017 at 11:08 AM
IBM has issued an alert lately due to the discovery of the infected USB flash drives that somehow ended up being shipped. The USB flash was found to contain a special kind of Trojan called “Faedevour, Pondre and Reconyc”.
Unfortunately, the infection was discovered too late for the IBM to do something about it, and it’s suspected that some of the users that use IBM and Lenovo Storwize systems might be in possession of infected USB sticks. IBM’s official notice states that “IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code.” They added that the infected flash drives have a “01AC585” number on them so that it would be easier for the users to identify the problematic devices.
IBM then claims that the malware doesn’t infect Storwize systems, nor did it infect the flash drives that were issued for encryption key management. Another part of the statement, which is also the good news, is that malware will be placed on Windows, Linux, and Mac if the drive is inserted, but fortunately, it won’t automatically execute.
IBM didn’t explain how the malware got on the flash drives, how the company is dealing with the problem, nor how many users are suspected of having an infected USB stick. When it comes to fighting the malware, they recommended updating the antivirus software that the users have, and if the malware places itself on the device, the temporary directory in which it can be found should be deleted immediately.
The alert was issued by both IBM and Lenovo, and both companies have mentioned the exact models suspected of being infected. When it comes to the earlier mentioned temporary directories where the malware is hiding, on Windows that is %TMP%initTool, while on Mac and Linux the same malware can be found in /tmp/initTool.
Kaspersky Lab claims that the malware belongs to the Trojan.Win32.Reconyc family and its purpose is to download attack codes on infected endpoints. Basically, it installs additional software on the devices that are already infected. To prevent this from happening, the IBM has suggested everyone with the infected USB stick to destroy it in order to prevent its multiple uses.
If you’re unwilling to do so, there is an alternative – you’ll have to wipe the drive clean. After doing so, download an initialization tool from the FixCentral on it, and then scan it with your antivirus. If the scan is clean, you’ll be able to safely use the device.