IERK - More Info

From: Benjamin Sisco (ben@CQG.COM)
Date: 01/27/03

  • Next message: Russ: "Survey: SQL Slammer"
    Date:         Mon, 27 Jan 2003 12:24:45 -0700
    From: Benjamin Sisco <ben@CQG.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    We recently dealt with a machine that was exhibiting the same problems.
    This is what we've found:
     
    - IERK file created Jan 7th 2003 1:05:35pm Maybe this has been around a
    little bit longer than expected.
    - Machine was rebooted Saturday January 25th in an effort to apply a fix
    for W32.Slammer worm as a result of MSDE being installed for a custom
    software application.
    - Previous reboot was November 23rd 2002
     
    The IERK driver can be seen (without entering safe mode) by looking at
    system information and then choosing Software environment and then
    Drivers IERK will be listed. This situation only exists if the machine
    has been rebooted.
     
    Confirming that you MUST reboot into safe mode in order to set the
    service to disabled through the registry.
     
    Hope this helps.
     
    A troubling unanswered question though - Has anyone heard about the
    vector of infection for this Trojan? We have placed a tremendous amount
    of effort in firewall level protection as well as router level
    protection, switch level protection, and patch level protection. None
    of these seems to have prevented this troublesome little Trojan.
     
    Thanks for all the news thus far,
    Ben
     

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Puper.dll
      ... | I have a trojan on my system. ... Download and execute the following Multi AV scanning tool. ... Reboot the PC" and when the PC begins ... to restart, hit the F8 key and start in Safe Mode. ...
      (microsoft.public.security.virus)
    • Re: Windows unable to run explorer.exe or IE
      ... one point it would be disabled by Trojan.StartPage on subsequent reboot. ... At that time the trojan processes running ... Windows) with my laptop which has current ver of NAV. ... > Repair Install. ...
      (microsoft.public.windowsxp.general)
    • Re: Virus infection help needed
      ... > registry that Symantec says it creates but still the virus is there.... ... you have a trojan, ... Reboot in safe mode and run a scan again. ...
      (alt.sys.pc-clone.dell)
    • Re: Please Help with WINCFG.SCR Infection !
      ... and Norton detected the trojan. ... reboot and they had vanished!! ... >> Followed path to trojan ref in registry as posted many places on internet ...
      (comp.security.misc)
    • Re: security warning replaces wallpaper
      ... It sounds like the trojan that TrendMicro calls TROJ_DLOAD.H: ... Microsoft MVP - Windows Shell/User ... > This warning replaced my wall paper and all anti virus, ... > again the system says it is waiting for a reboot. ...
      (microsoft.public.windowsupdate)