Rogue Kernel Driver ierk8243.sys may be novel Trojan
From: Barron Mertens (bmertens@UWO.CA)
Date: 01/26/03
- Previous message: DeLoach, Timothy: "Cisco SQL Worm advisory"
- In reply to: http-equiv@excite.com: "SPRINT ADSL [Zyxel 645 Series Modem]"
- Next in thread: Matt Scarborough: "Re: Rogue Kernel Driver ierk8243.sys may be novel Trojan"
- Reply: Matt Scarborough: "Re: Rogue Kernel Driver ierk8243.sys may be novel Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jan 2003 17:29:38 -0500 From: Barron Mertens <bmertens@UWO.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Approximately around Jan 10 2003 our main database cluster began
experiencing random unexplained "blue screen of death" crashes. The blue
screen claimed that the component that had failed was called
ierk8243.sys and this was the cause on both machines (Win2Ksp3 and
SQL2000sp2). Inspection of those machines and even google returned no
matches for that file or anything close (other than someone's email
address in Iceland I think). I bit the bullet (credit card?) and called
in Microsoft Premium Support Services after I ran out of ideas and had
suffered through too many crashes. After a week of analyzing dump files
we had a breakthrough when someone else showed up with the same problem,
that person discovered that if you reboot into safe mode and search the
registry that there is a kernel level (like a hardware device driver)
driver called ierk8243.sys installed and you can also then find the file
on the hard drive in the %systemroot%\system32\drivers folder. While the
driver is running you cannot find it in the registry or on the file
system or on a list of running processes, booting into safe mode
prevents the driver from loading. The file's properties read as a
standard MS file belonging to the original OS install, including the
timestamp info. To kill the driver just change the startup value to 4
(disabled) in the registry and rename the file. MS and NAI and
TrendMicro are analyzing the file to see what it was doing and hopefully
they can figure out how it got in. The only info to come out of the
analysis so far is it might have been using port 961 and this MAY be a
Trojan horse related to "Backdoor/Alley" which is quite obscure. We have
found this code on four machines altogether, all administered by myself
and all running SQL Server (not sure who is guilty), two machines were
Win2k Advanced Server and two were XP Pro.
Barron Mertens
Senior System Engineer/Developer
Faculty of Education
The University of Western Ontario
London, Ontario, Canada
N6G 1G7
Room 1095
519-661-2111 x88662
bmertens@uwo.ca
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Jay Lagorio: "Re: SPRINT ADSL [Zyxel 645 Series Modem]"
- Previous message: DeLoach, Timothy: "Cisco SQL Worm advisory"
- In reply to: http-equiv@excite.com: "SPRINT ADSL [Zyxel 645 Series Modem]"
- Next in thread: Matt Scarborough: "Re: Rogue Kernel Driver ierk8243.sys may be novel Trojan"
- Reply: Matt Scarborough: "Re: Rogue Kernel Driver ierk8243.sys may be novel Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
