IERK - More Info

From: Benjamin Sisco (ben@CQG.COM)
Date: 01/27/03

  • Next message: Russ: "Survey: SQL Slammer"
    Date:         Mon, 27 Jan 2003 12:24:45 -0700
    From: Benjamin Sisco <ben@CQG.COM>

    We recently dealt with a machine that was exhibiting the same problems.
    This is what we've found:
    - IERK file created Jan 7th 2003 1:05:35pm Maybe this has been around a
    little bit longer than expected.
    - Machine was rebooted Saturday January 25th in an effort to apply a fix
    for W32.Slammer worm as a result of MSDE being installed for a custom
    software application.
    - Previous reboot was November 23rd 2002
    The IERK driver can be seen (without entering safe mode) by looking at
    system information and then choosing Software environment and then
    Drivers IERK will be listed. This situation only exists if the machine
    has been rebooted.
    Confirming that you MUST reboot into safe mode in order to set the
    service to disabled through the registry.
    Hope this helps.
    A troubling unanswered question though - Has anyone heard about the
    vector of infection for this Trojan? We have placed a tremendous amount
    of effort in firewall level protection as well as router level
    protection, switch level protection, and patch level protection. None
    of these seems to have prevented this troublesome little Trojan.
    Thanks for all the news thus far,

    Delivery co-sponsored by TruSecure Corporation
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit for full details.