Support in other languages: 
Reply
Paper Tape
aristarchus
Posts: 1
Registered: ‎08-30-2010
Location: Switzerland
0

Critical Battery Message in Thinkvantage leads to suspicious external download site - anrdoezrs.net

[ Edited ]

Hi,

 

My Thinkvantage inbox has a message about a critical battery issue software update, which wants me to download software from:

 

http:// www. anrdoezrs.net/click-3719336-10429688?url=http%3A%2F%2Fdownload.lenovo.com%2Fibmdl%2Fpub%2Fpc%2Fpccbbs%2Fmobiles%2F6ifu09ww_edge13.exe

 

I can't understand:

1. why Lenovo would want to apply an update outside of the etablished process

2. why use a suspicious download site - see http://www.siteadvisor.com/sites/anrdoezrs.net/summary/

 

Is my system infected already, or is Lenovo's message system infected?

 

Regards, Aristarchus

 

Moderator edit: Disabled the automatically created hyperlink by adding a couple of spaces - don't want everyone clicking on it.

Fanfold Paper
Drum
Posts: 9
Registered: ‎08-23-2010
Location: Norway
0

Re: Critical Battery Message in Thinkvantage leads to suspicious external download site - anrdoezrs.

Nothing so far from Lenovo.

 

Does that mean downloading from this link is 'safe' and not a problem?

 

No news is good news?

Lenovo Staff
Herik
Posts: 1,591
Registered: ‎07-17-2009
Location: Slovakia
0

Re: Critical Battery Message in Thinkvantage leads to suspicious external download site - anrdoezrs.

Hi,

I would say, that this is some infection, becasue this link is not known to me.
I would run a virsucheck.

 

Every time there is a critical update, then the download link goes from Lenovo.com, or ibm.

No other source.

 

Cheers

Punch Card
lewis
Posts: 2
Registered: ‎02-27-2008
Location: Earth
0

Re: Critical Battery Message in Thinkvantage leads to suspicious external download site - anrdoezrs.

Hi Henrik and others;

 

Henrik, THE INFORMATION YOU PROVIDED IS 100% INCORRECT.

 

I encourage others to verify this using a packet analyzer as well.

 

The LT Toolbox DOES submit http requests to anrdoezrs.net. I verified this by running a packet analyzer while clicking the link to download Rescue and Recovery software from the Toolbox and was able to review the entire process that the Toolbox uses to attempt to download the software.

 

Step 1. Upon clicking the link in LT Toolbox, the Toolbox software sends an HTTP request to a proxy server at amazonaws.com.

 

Step 2. amazonaws.com replies with an XML file that contains multiple URL values. Which one the Toolbox uses appears to be related to the user's country and language. Each URL is to anrdoezrs.net with a query string that appears to be a URL to lenovo's website.

 

Step 3. The toolbox then uses the computer's web browser to connect to the URL for anrdoezrs.net referenced in the XML file. For example: (http://www.anrdoezrs.net/click-3719336-10429688?URL=http%3A%2F%2Fwww.lenovo.com%2Fsupport%2Fsite.wss...).

 

Step 4. This is where it gets interesting:  If the URL redirect provided is valid the browser never displays the link to anrdoezrs.net and the software download begins. However, if the redirect is invalid, the web browser displays the "Object Not Found" page at anrdoezrs.net and the software (or information if it was a link for information) fails to download.

 

 

Additional Information:

 

1. Many of the links provided in the Lenovo ThinkVantage Toolbox software do exactly the same steps as posted above.

 

2. I tested this over a 96 hour period. During that time, the only time my computer attempted to connect to anrdoezrs.net was when I specifically clicked a link in LT Toolbox software.

 

3. I honestly do not believe this is doing anything malicious. However, I was surprised to see that the developers at Lenovo designed the Toolbox software to work this way. Why would they want to use anrdoezrs.net anyway?

 

 

Thank you for your time. I am not trying to offend anyone but I think the truth and a bit of research should be provided before making assumptions as to what the software is doing.

 

Thanks again.