Ok, so here's what I got back from you regarding IERK. I sure hope
you've checked for this on your systems which run SQL 2000 or MSDE 2000.

My theory about this being related to Slammer is, I believe, unfounded.
There's no correlation between the two after further investigation and
the information you provided.

I got information about 50 machines in total, of which 23 found IERK on
them. Machines that had it included Windows 2000 Server and Small
Business Server 2000. All of the afflicted machines had SQL 2000, except
one which had MSDE 2000. There was no other piece of software common to
them all, so in my opinion the attack vector was likely SQL 2000
extended procedure due to a weak or non-existent SA password.

All machines except one found it listening on port 449. The other found
it listening on port 961.

All found it using a variety of the 4 methods I listed (see below).

Almost everyone noticed their machine Blue Screen at some point in time,
or reboot itself unexpectedly.

NAI describe this as BackDoor-ALI;

http://vil.nai.com/vil/content/v_100010.htm

Its important to note that NAI's description includes a different file
name (they refer to VMM32421.EXE where we were looking for ipsechlp.dll.
They also say it listens on port 961, where most NTBugtraq reports found
it on 449.

Check with your AV Vendor to see if they have a definition file which
will catch this.

Its important to remember that because this installs as a rootkit, its
likely that any machine with this on it has been completely hacked. It
would be extremely difficult to determine what was done by the hacker on
such a machine, they may have installed other rootkits or backdoors,
added users, implemented other drivers, trojaned MS code, etc...

The recommendation would be to restore the machine from a backup made
prior to the infection (a date which isn't easy to determine), and then
take steps to remove or restrict access to the extended procedures, and
change all passwords (especially the SA password). See Chip's site for
more information, http://www.sqlsecurity.com

Methods for checking are;

a) The IERK driver can be seen (without entering safe mode) by looking
at system information and then choosing Software environment and then
Drivers. IERK will be listed. This situation only exists if the machine
has been rebooted.

b) Look at Services. If you have "IPSEC Helper Services" or "Virtual
Memory Manager" listed, you have the Trojan.

c) Look for %systemroot%\system32\ipsechlp.dll, or VMM32421.EXE,
anywhere on your system.

d) Run NETSTAT -AN | FIND "449" (thanks to Greg Moore) or NETSTAT -AN |
FIND "961", neither TCP port should normally be listening.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]