Security Incidents mailing list archives
Re: Unknown Malware found csdiv.dll
From: Sven Carstens <sven.carstens () blinker-links de>
Date: Wed, 30 Jun 2004 10:26:12 +0200
My remaining questions are: How is the csdiv.dll dropped back into place? -> I'll look and see if I can find a BHO (I bet he hasn't reinstalled) Why, oh why can't people properly setup their autoresponders? Here some cumulated follow-ups:
I was wondering if you could provide a little more information that might help narrow this baddy down a bit... Caught? You mean he just found the file?
Not really. He just noticed all this nice stuff poping up when he opened IE. Porn, advertising, warning that he has a bad spyware on his pc (in an remote hmtl page) and should immediately install a program from a website. Now he didn't fall for that at least. So I started up sysinternals procexp.exe and autoruns.exe. There I found a bunch of different programs running that didn't belong there. These were with varying names and locations within \windows and \windows\system32. Then I tried to install AdAware. This failed. So I first killed the suspicious processes and then AdAware installed without failure. AdAware updated and detected the changes in the registry (res:\\ types for IE) and the various programs that were running at the start of my poking around. Rebooted the PC and everything was back to before (some other program names this time). I removed the default route on his pc. Let AdAware do his job again. Removed the cddiv.dll and a service entry that referred to one of the nummerous programs running. Rebooted again. This time IE didn't start at all when double clicking it. procexp showed it as running without a window. But when started with a standard .html file it would run normal. Setting the default route back to normal did lead to the expected experience. IE started with the Malware and all files I removed where back in place. I told him to reinstall and left hom without a default route set. I just figure him crawling under his desk to see why he has no network connectivity.
What are some of the "well known other parts", and how do you know that they're "dropped" by this DLL?
Calling the res:\\csdiv.dll immediately led to the other processes running.
Where did you check, specifically? Did you check specific keys (if so, which ones?) or did you just search the Registry for the DLL name?
I let AdAware and autoruns.exe check for the usual suspects and searched for 'csdiv' with regedit.
Searching all files on disk? What does that mean? Did you look for the DLL name within files, or did you search for the file name itself?
I looked for all files containing 'csdiv'. This found the logfiles and the csdiv.dll file.
Could it be that the DLL was called by one of the EXE files mentioned in the logfile you posted? Did you happen to find those files, too?
Some but not all of the EXE files showed up during starting IE. These were not all of the files that showed up but the others didn't differ in content but rather in name. Those were found by AdAware.
Just out of curiosity, have we ruled out the possibility that more than one piece of malware found its way in? Often, it's hard to tell if you're playing "5 blind men and an elephant", or "5 blind men and 5 different animals"... (If you find that hard to believe, consider the recent study that found an *average* of 7 or so *different* pieces of spyware on the boxes surveyed....)
It's just I cleaned up to the best of mycurrent abilities and just the stuff relating to the csdiv.dll dropped back into place.
There's a nice free service which will scan any submitted file using 10 different scanners at www.virustotal.com. Results of a file scan This is the report of the scanning done over "csdiv.dll" file that VirusTotal processed on 06/29/2004 at 17:07:29. Antivirus Version Update Result BitDefender 7.0 06.28.2004 Trojan.Downloader.Agent.AP eTrustAV-Inoc 4641 06.28.2004 - F-Prot 3.14e 06.28.2004 - Kaspersky 3.0 06.29.2004 TrojanDownloader.Win32.Winshow.u McAfee 4370 06.26.2004 - NOD32v2 1.796 06.26.2004 - Panda 7.02.00 06.29.2004 Adware/Iefeatsl Sybari 7.50.1138 06.29.2004 JS.Winshow.Q Symantec 8.0 06.28.2004 - TrendMicro 1.00 06.25.2004 TROJ_WINSHOW.AB
Guess which three of these scanners are in use. Symantec, McAfee and F-Prot. CU Sven
Current thread:
- Unknown Malware found csdiv.dll Sven Carstens (Jun 29)
- Re: Unknown Malware found csdiv.dll Jim Halfpenny (Jun 29)
- Re: Unknown Malware found csdiv.dll Harlan Carvey (Jun 29)
- Re: Unknown Malware found csdiv.dll Harlan Carvey (Jun 29)
- Re: Unknown Malware found csdiv.dll Valdis . Kletnieks (Jun 29)
- Re: Unknown Malware found csdiv.dll Jordan Wiens (Jun 29)
- <Possible follow-ups>
- Re: Unknown Malware found csdiv.dll Sven Carstens (Jun 30)
- Re: Unknown Malware found csdiv.dll Jim Halfpenny (Jun 29)