[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Strange Lenovo x121e



On Wed, Oct 05, 2011 at 07:57:03PM +0000, halfdog wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello List,
> 
> I just puchased a Lenovo x121e and just before init with random data
> and setting up the crypto disks, I found that the disk was not
> completely clean. It seems that
> 
> a) X121 ships with a dirty disk or
> b) machine was used before purchase
> 
> After reconstruction of bootsector, a NTFS partition is readable,
> pagefile.sys shows
>   COMPUTERNAME=ADMIN-THINK
> 
> Newest files in /
> dr-x------  1 root root      28672 May 29 09:45 SWDL
> - -r--------  2 root root       2490 May 29 09:36 ExitWinXP.bat
> dr-x------  1 root root       4096 Apr  6 13:59 WWAN1
> dr-x------  1 root root          0 Mar  1  2011 Temp
> dr-x------  1 root root          0 Jan  6  2011 $Recycle.Bin
> dr-x------  1 root root       4096 Jan  6  2011 Users
> dr-x------  1 root root          0 Jan  6  2011 Intel
> - -r--------  2 root root       1959 Oct  2  2010 bluetooth.txt
> 
> Funny: Might also be infected with virus, that generated sal.xls.exe
> 
> - -r--------  2 root root       4810 Oct 13  2007
> \346\270\205\351\231\244sal.xls.exe\347\227\205\346\257\222.bat
> 
> The non-printables seem to be UTF-8 and display as Chinese glyphs on
> other machine.
> 
> I'm complete noob in win-forensics, but at least it seems, that there
> is no evidence for other user accounts, Documents & Settings empty, so
> perhaps this could really be an authentic IBM OEM image (with virus),
> but they just replaced the boot sector to get rid of the partitions?
> 
> Since I don't want to waste too much time on dirty hardware, I did
> some googling, but found nothing of value.
> 
> 
> Does someone know of similar findings on Lenovo machines and what's
> your guess: is it worth to dig in deeper or is it just waste of time
> to recover OEM-Windows image, that was deflowered and insufficiently
> cleaned by some Chinese factory worker during lunch hours?
> 
> hd
> 
> - -- 
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFOjLZtxFmThv7tq+4RAjg3AJ4xCLYJqExTYk0kqLowYFdB+RU3PQCgk4yW
> zD1Qa8MoApdLGQ5Mns0wpKE=
> =UuJ/
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

I have pretty new X220t and 2011-09-18 I noticed this 
http://paste.nerv.fi/59031966-strangedrivers.png when I was working as 
administrator. I didn't have any network connected (LAN, WLAN, bluetooth) nor 
USB-devices. I also did check event viewer, but didn't find anything useful. I 
didn't notice it again nor did I find any evidence of abuse. There is recovery 
partition in my model at least, which could have a big amount of executables 
and/or drivers. I also do know how to use Windows so as far as I can tell my 
laptop is pretty secure. I have firewall, IPS, anti-virus and I am not 
installing programs to my system easily :)

Please notify me if you find anything related to this issue. I would be happy 
to receive sample of sal.xls.exe. Where did you purchase your laptop?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/