IERK - More Info
From: Benjamin Sisco (ben@CQG.COM)
- Previous message: Russ: "Blackboard and Slammer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Jan 2003 12:24:45 -0700 From: Benjamin Sisco <ben@CQG.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
We recently dealt with a machine that was exhibiting the same problems.
This is what we've found:
- IERK file created Jan 7th 2003 1:05:35pm Maybe this has been around a
little bit longer than expected.
- Machine was rebooted Saturday January 25th in an effort to apply a fix
for W32.Slammer worm as a result of MSDE being installed for a custom
- Previous reboot was November 23rd 2002
The IERK driver can be seen (without entering safe mode) by looking at
system information and then choosing Software environment and then
Drivers IERK will be listed. This situation only exists if the machine
has been rebooted.
Confirming that you MUST reboot into safe mode in order to set the
service to disabled through the registry.
Hope this helps.
A troubling unanswered question though - Has anyone heard about the
vector of infection for this Trojan? We have placed a tremendous amount
of effort in firewall level protection as well as router level
protection, switch level protection, and patch level protection. None
of these seems to have prevented this troublesome little Trojan.
Thanks for all the news thus far,
Delivery co-sponsored by TruSecure Corporation
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.