IERK - More Info

From: Benjamin Sisco (ben@CQG.COM)
Date: 01/27/03

Next message: Russ: "Survey: SQL Slammer"

Previous message: Russ: "Blackboard and Slammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 27 Jan 2003 12:24:45 -0700
From: Benjamin Sisco <ben@CQG.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We recently dealt with a machine that was exhibiting the same problems.
This is what we've found:

- IERK file created Jan 7th 2003 1:05:35pm Maybe this has been around a
little bit longer than expected.
- Machine was rebooted Saturday January 25th in an effort to apply a fix
for W32.Slammer worm as a result of MSDE being installed for a custom
software application.
- Previous reboot was November 23rd 2002

The IERK driver can be seen (without entering safe mode) by looking at
system information and then choosing Software environment and then
Drivers IERK will be listed. This situation only exists if the machine
has been rebooted.

Confirming that you MUST reboot into safe mode in order to set the
service to disabled through the registry.

Hope this helps.

A troubling unanswered question though - Has anyone heard about the
vector of infection for this Trojan? We have placed a tremendous amount
of effort in firewall level protection as well as router level
protection, switch level protection, and patch level protection. None
of these seems to have prevented this troublesome little Trojan.

Thanks for all the news thus far,
Ben

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Russ: "Survey: SQL Slammer"
Previous message: Russ: "Blackboard and Slammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Puper.dll
... | I have a trojan on my system. ... Download and execute the following Multi AV scanning tool. ... Reboot the PC" and when the PC begins ... to restart, hit the F8 key and start in Safe Mode. ...
(microsoft.public.security.virus)
Re: Windows unable to run explorer.exe or IE
... one point it would be disabled by Trojan.StartPage on subsequent reboot. ... At that time the trojan processes running ... Windows) with my laptop which has current ver of NAV. ... > Repair Install. ...
(microsoft.public.windowsxp.general)
Re: Virus infection help needed
... > registry that Symantec says it creates but still the virus is there.... ... you have a trojan, ... Reboot in safe mode and run a scan again. ...
(alt.sys.pc-clone.dell)
Re: Please Help with WINCFG.SCR Infection !
... and Norton detected the trojan. ... reboot and they had vanished!! ... >> Followed path to trojan ref in registry as posted many places on internet ...
(comp.security.misc)
Re: security warning replaces wallpaper
... It sounds like the trojan that TrendMicro calls TROJ_DLOAD.H: ... Microsoft MVP - Windows Shell/User ... > This warning replaced my wall paper and all anti virus, ... > again the system says it is waiting for a reboot. ...
(microsoft.public.windowsupdate)