[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Unknown Malware found csdiv.dll
From:       H Carvey <keydet89 () yahoo ! com>
Date:       2004-07-01 12:26:08
Message-ID: 20040701122608.22031.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <200406301026.12115.sven.carstens@blinker-links.de>

Sven,

I'll have to admit...your responses certainly generate a lot of questions.  Please \
bear with me here while I try to get some idea of what you've got going on...

> So I started up sysinternals procexp.exe and autoruns.exe.
> There I found a bunch of different programs running that didn't belong there.

Didn't belong where?  Autoruns shows multiple locations...

> These were with varying names and locations within \windows and 
> \windows\system32.

Varying names...such as?  Many times, the name of the file pointed to by a Registry \
entry will give clues as to what it does.  Some malware drops a file on the system \
with a file name comprised of 8 random lower-case characters.  Not the definitive, of \
course, but a clue.

Also, in addition to procexp.exe (or perhaps instead of) I'd suggest that you run \
tlist.exe (from the MS Debugger Tools, *not* the RK) or cmdline.exe (DiamondCS) to \
get the command line used to launch each process.  This is usually more informative \
than simply the process name.

> Then I tried to install AdAware. This failed. So I first killed the suspicious 
> processes and then AdAware installed without failure.
> AdAware updated and detected the changes in the registry (res:\\ types for IE)

Hhhmmm...not sure where you got your understanding of the "res://" URI, but you might \
want to read this: http://support.microsoft.com/default.aspx?scid=kb;en-us;220830

The "res://" resource doesn't necessarily have a one-to-one relationship with \
"detected...changes in the registry".

Please understand...I'm not trying to find fault with anything you've done.  However, \
I do think that with a better understanding of the issues at hand, these sorts of \
things can be handled a little better in the future.

Harlan


[prev in list] [next in list] [prev in thread] [next in thread]