[German]Warning to IT service providers and blog readers who ever buy a used Windows notebook, tablet or desktop PC system on eBay or other shops. A reader pointed out to me a couple days ago, that he had ordered refurbished Panasonic Toughpads FZ-G1(F) from Priceholes-com via eBay, but then discovered that they were infected with malware. He found the Chinese worm Synaptics.exe on the systems.
Advertising
Vendor Priceholes-com on eBay
There are a number of dealers on the eBay platform who offer refurbished hardware (refurbished systems). One of these sellers is PriceHoles.com Ltd from the UK, which appears on eBay under Priceholes-com.
This supplier also offers refurbished Panasonic Toughpads FZ-G1(F) on eBay. These are industrial tablet PCs for Windows with reasonable features.
A German blog reader finds Synaptics.exe worm
German blog reader Volker contacted me the other day via email and reported a an unpleasant incident (thanks for the tip). He claims to have purchased various Panasonic Toughpads FZ-G1(F) via the eBay provider PriceHoles-com. Such devices are offered under this German eBay link.
Buyers can choose whether the devices are delivered with Windows 7 or Windows 11 24H2. The buyer only needs to switch on the device and then the Windows (OOBE) installation takes place using the installation image stored on the device. After installation, the buyer then has a fresh system.
Advertising
As Volker works as an IT supporter, he always installs the operating system "fresh" from his own installation images for used devices. But he always looks at the devices before installation and checks whether the software on the system's data storages is "clean".
When he checked the Panasonic Toughpads FZ-G1(F) before installing Windows, he made an unpleasant discovery. On some of the devices delivered with a Windows 11 24H2 installation image, a synaptics.exe file was found in the ProgramData folder in a hidden Synaptics folder.
As the device does not have any Synaptics components, the reader became suspicious and ran a virus scan on the system. The Synaptics.exe file is the "well-known" Chinese nSynaptics.exe "Network Worm", he wrote to me.
The Synaptics.Exe Worm
If you search the Internet for "Synaptics.Exe worm", there are numerous hits dating back to 2020. Here are some of the sites on the Internet that deal with this malware, which acts as a Trojan.
reddit.com: Found The Synaptics Worm
reddit.com: Virus on driver. Is this a false positive or real virus?
virustotal.com: Synaptics.exe
File.net: Erläuterung auf file.net zu Synaptics.exe
AnyRun: Analyse auf AnyRun
The reader had little doubt that the synaptics.exe file discovered must be the worm "Worm:Win32/AutoRun.XXY!bit".
The great risk to catch a Trojan
Of course, the reader then immediately gave the matter some thought, because this reseller really does sell a lot of (these) devices and has 99.8% positive reviews. According to the reader, the devices supplied are in top condition and the pre-installed Windows version only has a Panasonic tool and a UMTS tool pre-installed.
Shopper may only discover very late that the devices are infected. This is because the Windows Defender integrated in Windows 11 24H2 only sounds the alarm after some time. Only when the Defender starts scanning the system files as part of an offline scan is a malware detection reported immediately.
Another assumption of the reader is that shortly after the OOBE process, the (hidden folder) Synaptics is created under ProgramData. Should this variant actually infect further EXE program files, as described by other people, the reader notes that even inserting USB sticks, e.g. to save the drivers from the installation medium or to copy something to the memory, is a potential risk of infection.
The vendor PriceHoles.com Ltd was informed of the matter by the reader and, according to initial feedback, intends to look into the case. However, there are no results yet (since 3-4 weeks). The blog post should therefore be seen as a warning and a reminder to consider purchased (refurbished) devices as potentially infected and to check them for malware before using them.
Advertising
