Re: Unknown Malware found csdiv.dll

• Previous message: Jim Halfpenny: "Re: Unknown Malware found csdiv.dll"
• In reply to: Sven Carstens: "Unknown Malware found csdiv.dll"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Unknown Malware found csdiv.dll"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: Unknown Malware found csdiv.dll"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Jun 2004 08:16:57 -0700 (PDT)
To: incidents@securityfocus.com

Sven,

I was wondering if you could provide a little more
information that might help narrow this baddy down a
bit...

> a friend of mine caught some really pain in the ass
> piece of malware.

Caught? You mean he just found the file?

> As I didn't find any references to it via google,

Not surprising, but thanks for saying that you looked.

> I'm posting a link, so
> the real experts out there have a new toy to play
> with.
>
> Malware http://www.demoserver.de/csdiv.dll_malware
>
> The file itself is not found by AdAware. But it
> seems after getting
> started it drops some well known other parts which
> are recognized and removed by AdAware.

What are some of the "well known other parts", and how
do you know that they're "dropped" by this DLL?

> Anyway I didn't find the injection point in the
> registry

Where did you check, specifically? Did you check
specific keys (if so, which ones?) or did you just
search the Registry for the DLL name?

> and searching all
> files on disk for the dll name brought nothing at
> all.

Searching all files on disk? What does that mean?
Did you look for the DLL name within files, or did you
search for the file name itself?

> What it found was some logfiles, dated on 2004-06-28
> (same date as the dll).
> These seem to be some installer logfiles.

Could it be that the DLL was called by one of the EXE
files mentioned in the logfile you posted? Did you
happen to find those files, too?

• Previous message: Jim Halfpenny: "Re: Unknown Malware found csdiv.dll"
• In reply to: Sven Carstens: "Unknown Malware found csdiv.dll"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Unknown Malware found csdiv.dll"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: Unknown Malware found csdiv.dll"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Boot from USB PRM (Partitioned Removable Media ) failed after loading OS2LVM.DMD error: "OS/2 i ... IBM Thinkpad with ONLY the OS/2 operating system on the hard disk in it. ... USBEHCD SYS 42112 9-10-04 3:49p ... ANSICALL DLL 512 3-08-02 7:16p ... CDBOOT EXE 8903 10-25-01 5:16p ... (comp.os.os2.bugs) Re: CHKDSK killed my OpenGL subsystem ... He'll screw around with a debugger but won't trust disk utilities? ... >> Then reinstall your nVidia drivers. ... > Well power off and cache stuff I dont think so at least not for the dll... ... (microsoft.public.windowsxp.general) Re: Cant delete a .dll files ... you can boot up using this disk and then ... search for all instances of this .dll under DOS. ... file protection mean editing various items in your registry settings then ... (microsoft.public.windowsxp.newusers) Re: Embedd DLL into executable ... resource to disk, then does a load (or maybe delay load) to get the DLL ... OP tries to avoid. ... (microsoft.public.win32.programmer.kernel) Re: VB and dlls ... This is causing significant delays within the app when the dll's need to be reloaded. ... Windows does not unload DLL's until the application that explicitly used them calls FreeLibrary. ... One solution I suggest is to call a function in the DLL or check a property in a Timer that has no side effect on the application. ... In the example above, if you use 2D and 3D functionality, but only accessing 2D in a Timer, the system might swap the 3D section into disk. ... (microsoft.public.vb.general.discussion)