ierk8243.sys and IPSEC Helper Services

From: Sufliarsky Richard (sufo@GRATEX.COM)
Date: 01/30/03

  • Next message: Sufliarsky Richard: "Re: Slammer Worm and SQL Server Network Protocols" 
    Date:         Thu, 30 Jan 2003 17:55:49 +0100
From: Sufliarsky Richard <sufo@GRATEX.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Attention!!!
    Anybody who had ierk8243.sys trojan, try to look at running services.
    Maybe you have there IPSEC Helper Services service running.
    It listens on TCP port 449 and uses system32\ipsechlp.dll (when you open
    it in notepad you can find string ierk8243)

    When I was stopping this service I was watching on the Filemon (from
    Sysinternals) and it has done something with: Microsoft SQL
    Server\80\Tools\Binn\Resources\1033\sqlmangr.rll

    I can confirm, that even if ierk8243.sys is running and hiding itself in
    registry and the filesystem you can see it in System Tools->System
    Information->Software Environment->Drivers.

    Here are the registry keys for IPSEC Helper Services:
    ========================================================================
    ===
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentHlp]
    "Type"=dword:00000010
    "Start"=dword:00000004
    "ErrorControl"=dword:00000000
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00
    ,6f,00,\
     
    74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,
    73,\
     
    00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,
    00,\
      6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
    "DisplayName"="IPSEC Helper Services"
    "ObjectName"="LocalSystem"
    "Description"="Provides additional security policy functions for the IP
    security driver."

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentHlp\Par
    ameters]
    "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,0
    0,73,\
     
    00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,70,00,73,00,65,
    00,\
      63,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentHlp\Sec
    urity]
    "Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,
    00,02,\
     
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,
    00,\
     
    00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,
    00,\
     
    05,12,00,00,00,48,b8,13,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,
    05,\
     
    20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,
    00,\
     
    00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,
    00,\
     
    00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,
    00,\
      00,01,01,00,00,00,00,00,05,12,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentHlp\Enu
    m]
    "0"="Root\\LEGACY_POLICYAGENTHLP\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POLICYAGEN
    THLP]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POLICYAGEN
    THLP\0000]
    "Service"="PolicyAgentHlp"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="IPSEC Helper Services"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POLICYAGEN
    THLP\0000\Control]
    "ActiveService"="PolicyAgentHlp"
    ========================================================================
    ====

    This is reply from Symantec after their analysis of sent files.
    ======================================================================
    We have analyzed your submission. The following is a report of our
    findings for each file you have submitted:

    filename: C:\TEMP\Legacy_ierk8243.sys.reg.txt
    machine:
    result: See the developer notes

    filename: C:\TEMP\ipsechlp.dll
    machine:
    result: See the developer notes

    filename: C:\TEMP\ierk8243.sys.reg.txt
    machine:
    result: See the developer notes

    filename: C:\TEMP\ierk8243.sys
    machine:
    result: This file is infected with Trojan.Slanret

    Developer notes:
    C:\TEMP\Legacy_ierk8243.sys.reg.txt does not appear to contain
    malicious code.
    C:\TEMP\ipsechlp.dll does not appear to contain malicious code.
    C:\TEMP\ierk8243.sys.reg.txt does not appear to contain malicious code.
    C:\TEMP\ierk8243.sys is non-repairable threat. Please delete this file
    and replace it if neccessary.
    ========================================================================
    ====
    Unfortunately it was automatic analysis of files, so it only found that
    tojan. More info about it is here: www.sarc.com

    Richard Sufliarsky
    mailto:sufo@gratex.com
    Technology Consulting Group
    Gratex International
    http://www.gratex.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo