Lenovo BIOS malware/ LenovoCheck.exe Lenovo BIOS malware/ LenovoCheck.exe

Hi, I discovered this issue back in May when I bought a Lenovo Y40-80 which also has this. It really pissed me off so I did quite a bit of digging into it and successfully removed it, so after running into this thread I figured I’d share what I learned.

Before booting windows 7 or 8, the bios checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it’s own autochk.exe. During boot, the Lenovo autochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, and sets up a services to run one of them when an internet connection is established. I don’t know too much exactly what those do, but one appears to phone home to … 2_oko.json which is a bit worrying with the combination of a “ForceUpdate” parameter shown and the lack of ssl, making it fairly likely that it’s exploitable for remote code execution by anyone who can intercept your traffic(public wifi, etc).

Disclaimer: Unless you really know what you’re doing, you really don’t want to try this: As for removing it, you need to edit and re-flash your bios. The downloadable bios update from Lenovo doesn’t seem to be extractable at least with any methods I know, and using bios dumping tools only gets you 6 of the 8MB of the bios chip, so unfortunately it has to be done the painful way. You’ll need a usb flash rom reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips. You can get each of those 2 items for about $10 each. Take the back cover off the laptop, and also disconnect the battery, and locate the bios chip on the motherboard. Connect the test clips to the bios and connect the other end of the other end of the test clips to the usb writer, and connect the usb writer to another computer. On the other computer use the usb reader/writer to dump a copy of the bios. The bios dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB. Download UEFITool from github( ) and open the 6MB file. Look through the modules and find the one called “NovoSecEngine2” and mark it for deletion. Save a new copy of the 6MB file. Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end. Use the usb reader/writer to flash that new 8MB file to the laptop’s bios, then disconnect the wires and put the laptop back together. Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it’s signed by Microsoft, not Lenovo. If you have the original Microsoft one there, congratulations, your laptop is now clean.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s