Re: New viral process: CSDATA32.EXE jams network traffic

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 10/25/04 

Date: Mon, 25 Oct 2004 15:48:02 -0400

Sounds like a commercial where an employee's kid puts a worm on the LAN using dad' PC -
Cisco commercial ? :-)

Glad to hear that you have the LAN cleaned.

Now its time to create a Security Doctrine protecting company assets in accordance with
employees who have notebooks. Not happy to hear NAV failed to protect it however.

Dave

"Keith" <keith@dummyaddress.com> wrote in message
news:lrafd.1806460$yk.296907@news.easynews.com...
| David:
| -
| Returned from my holiday now and yes, I have done as you suggested.
|
| AdAware turned up various malwares etc. not detected by Spykiller (Webroot)
| which is installed on several machines.
|
| The Trend Sysclean package found SIRCAM on our server (apparently protected
| by NAV Coorporate 7.6 (with daily updated definitions).
|
| 'Sysclean' failed to reveal the registry entries or executibles of the
| WORM_WOOTBOT.AW infection - which I now understand is the source of the
| CSDATA32.EXE process - on any machine, perhaps because I had deleted the
| associated executible. Having disconnected all machines from the network,
| installed the software, scanned etc. and then one by one reconnected them,
| we found one immediately caused another outbreak, despite scanning clean
| with NAV 7.6 and Sysclean. This time the viral process was VGCNTFY.EXE,
| which is the result of W32.SpyBot worm (Symantec) infection. (I gather one
| of boss's son's put Kazaa on his laptop - ... ARRGGG).
|
| We seem to be OK now, I am looking for a change of antivirus solution
|
| Thanks
|
| Keith
|
|
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:OyOl2M6sEHA.2660@TK2MSFTNGP12.phx.gbl...
| > Did you perform what I asked ?
| > Have you ever heard of False Positives and False Negatives ?
| > I can't tell you how many time one AV package flags a file while another
| > has not.
| >
| > If you have NOT done what I asked, please do so.
| >
| > Dave
| >
| >
| >
| >
| > "Keith" <keith@dummyaddress.com> wrote in message
| > news:dqccd.2790475$ic1.287613@news.easynews.com...
| > | We have Symantec Antivirus Corporate 7.6 installed, and our definitions
| > are
| > | up to date. This, and the fact that I cannot find a single reference to
| > the
| > | viral executible suggest to me it is as yet undocumented.
| > |
| > | I had a major panic with it yesterday as with impeccable timing the
| > effects
| > | of the infection hit the last working day before I am due to go on 1
| > weeks
| > | holiday. I can't do anything now until return.
| > |
| > | thanks for the feedback- everyone
| > |
| > | K
| > |
| > |
| > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| > | news:urCRIU3sEHA.2516@TK2MSFTNGP11.phx.gbl...
| > | > 1) Download the following three items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Adaware SE (personal free version)
| > | > http://www.lavasoftusa.com/
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download sysclean.com and place it in that directory.
| > | > Dowload the signature files (pattern files) by obtaining the ZIP file.
| > | > For example; lpt202.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the
| > same
| > | > directory as
| > | > sysclean.com.
| > | >
| > | > 2) Update Adware with the latest definitions.
| > | > 3) If you are using WinME or WinXP, disable System Restore
| > | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > | > 4) Reboot your PC into Safe Mode
| > | > 5) Using both the Trend Sysclean utility and Adaware, perform a
| > Full
| > | > Scan of your
| > | > platform and clean/delete any infectors/parasites found. (a few
| > | > cycles may be
| > | > needed)
| > | > 6) Restart your PC and perform a "final" Full Scan of your
| > platform
| > | > using both the
| > | > Trend Sysclean utility and Adaware
| > | > 7) If you are using WinME or WinXP,Re-enable System Restore and
| > | > re-apply any
| > | > System Restore preferences, (e.g. HD space to use suggested 400
| > ~
| > | > 600MB),
| > | > 8) Reboot your PC.
| > | > 9) If you are using WinME or WinXP, create a new Restore point
| > | > 10) Please report back your results
| > | >
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > "Keith" <keith@dummyaddress.com> wrote in message
| > | > news:oV3cd.2762901$ic1.284269@news.easynews.com...
| > | > |
| > | > | I have just recovered our small network from what I believe is an as
| > yet
| > | > | undocumented virus.
| > | > |
| > | > | Symptoms:
| > | > | Poor network performance.
| > | > | Jamming of internet access for the entire network when any infected
| > | > machines
| > | > | are present on the network.
| > | > |
| > | > | Unknown process: CSDATA32.EXE appears in the Windows XP Task List.
| > There
| > | > may
| > | > | be multiple instances of the process, running under either or both
| > the
| > | > user
| > | > | and System accounts. Killing all instances restores normal
| > | > functionality.
| > | > | (Processes under the System account have to be killed in Safe Mode).
| > | > |
| > | > | The executable will be found in %WinDir%\System32.
| > | > |
| > | > | I cannot find any references to this file on Symantec/Kaperski etc.
| > The
| > | > only
| > | > | link I have found is this:
| > | > |
| > | > | http://forum.tiscali.nl/Forum11/HTML/000315.html
| > | > |
| > | > | in Dutch, and I cannot understand it.
| > | > |
| > | > | Who do you report this stuff too (I have kept a copy of csdata32.exe
| > in
| > | > a
| > | > | RAR archive for submission)?
| > | > |
| > | > | Keith P.
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|

Relevant Pages

  • Re: New viral process: CSDATA32.EXE jams network traffic
    ... Returned from my holiday now and yes, I have done as you suggested. ... The Trend Sysclean package found SIRCAM on our server (apparently protected ... 'Sysclean' failed to reveal the registry entries or executibles of the ... Having disconnected all machines from the network, ...
    (microsoft.public.security.virus)
  • Re: Help with long term network problem
    ... Symptoms were not finding mapped network drives or shared printer on ... DATA by other machines on the LAN. ... dispensing with the dedicated server and just using on as file ...
    (microsoft.public.windowsxp.network_web)
  • Re: Home computer network problem
    ... I tried rerunning the network setup wizard but when I applied LAN setting it finished the wizard. ... Still if anyone feels they can offer more simple instructions to allow me to fix this & so share folders over my home network I would again be grateful for your help & will give it another try! ... I don't recommend either McAfee or Norton so don't have those programs running on any machines; therefore, I can't check the exact location of those configuration options for you. ...
    (microsoft.public.windowsxp.network_web)
  • Re: DSL Upgrade
    ... Discussions so far appear to be centered around hubs but since true hubs are just a means of connecting various machines on a LAN with no nat abilities they will not work in this case without the public id's mentioned. ... A router, Linksys BEFSR11, 1 port in and 1 out to your cable/dsl modem, or BEFSR41 with 4 ports, for your LAN computers, and 1 port out to your cable/dsl modem which will allow connection to 4 machines. ... If you connect 1 port for a LAN machine to a larger switch or hub more machines can be handled. ...
    (microsoft.public.win2000.networking)
  • Re: iptables firewall script for linux
    ... a canned firewall script will mostly protect me from ... I think of machines on my lan as workstations ... I decided to read at least 10 HOWTOs a week. ...
    (comp.security.firewalls)
Loading