New viral process: CSDATA32.EXE jams network traffic

Discussion in 'Virus Information' started by Keith, Oct 16, 2004.

  1. Keith

    Keith Guest

    I have just recovered our small network from what I believe is an as yet
    undocumented virus.

    Symptoms:
    Poor network performance.
    Jamming of internet access for the entire network when any infected machines
    are present on the network.

    Unknown process: CSDATA32.EXE appears in the Windows XP Task List. There may
    be multiple instances of the process, running under either or both the user
    and System accounts. Killing all instances restores normal functionality.
    (Processes under the System account have to be killed in Safe Mode).

    The executable will be found in %WinDir%\System32.

    I cannot find any references to this file on Symantec/Kaperski etc. The only
    link I have found is this:

    http://forum.tiscali.nl/Forum11/HTML/000315.html

    in Dutch, and I cannot understand it.

    Who do you report this stuff too (I have kept a copy of csdata32.exe in a
    RAR archive for submission)?

    Keith P.
     
    Keith, Oct 16, 2004
    #1
    1. Advertisements

  2. 1) Download the following three items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Adaware SE (personal free version)
    http://www.lavasoftusa.com/

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download sysclean.com and place it in that directory.
    Dowload the signature files (pattern files) by obtaining the ZIP file.
    For example; lpt202.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    sysclean.com.

    2) Update Adware with the latest definitions.
    3) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    4) Reboot your PC into Safe Mode
    5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
    platform and clean/delete any infectors/parasites found. (a few cycles may be
    needed)
    6) Restart your PC and perform a "final" Full Scan of your platform using both the
    Trend Sysclean utility and Adaware
    7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
    8) Reboot your PC.
    9) If you are using WinME or WinXP, create a new Restore point
    10) Please report back your results

    Dave






    |
    | I have just recovered our small network from what I believe is an as yet
    | undocumented virus.
    |
    | Symptoms:
    | Poor network performance.
    | Jamming of internet access for the entire network when any infected machines
    | are present on the network.
    |
    | Unknown process: CSDATA32.EXE appears in the Windows XP Task List. There may
    | be multiple instances of the process, running under either or both the user
    | and System accounts. Killing all instances restores normal functionality.
    | (Processes under the System account have to be killed in Safe Mode).
    |
    | The executable will be found in %WinDir%\System32.
    |
    | I cannot find any references to this file on Symantec/Kaperski etc. The only
    | link I have found is this:
    |
    | http://forum.tiscali.nl/Forum11/HTML/000315.html
    |
    | in Dutch, and I cannot understand it.
    |
    | Who do you report this stuff too (I have kept a copy of csdata32.exe in a
    | RAR archive for submission)?
    |
    | Keith P.
    |
    |
     
    David H. Lipman, Oct 16, 2004
    #2
    1. Advertisements

  3. Keith

    Malke Guest

    Very interesting. Unfortunately, like you, I can't read Dutch either.
    You would submit the archive file to your antivirus company. There may
    be a link to do this from within the program itself, or from web
    access. Here's a link to Symantec's submittal process:

    http://www.sarc.com/avcenter/submit.html

    If you get an answer, it would be great if you'd post it here.

    Thanks,

    Malke
     
    Malke, Oct 16, 2004
    #3
  4. Keith

    Br0wnbear Guest

    Keith

    Two places you can send this to.
    Your AV Provider for analysis.
    I also believe the Spyware people would be interested in this also.
    http://www.safer-networking.org/en/contact/detections.html
    I am not sure how well they share information.

    To get a better picture of what this cutie can do
    systinternals.com has some good free utilities to track things down
    along with diamondcs.com Advanced Process Manipulation.

    The second product shows you what processes are running and what the
    links are to that process.


    hth
    John Brown
    "Bears have more fun, we hibern8 alot"
     
    Br0wnbear, Oct 16, 2004
    #4
  5. Keith

    Keith Guest

    We have Symantec Antivirus Corporate 7.6 installed, and our definitions are
    up to date. This, and the fact that I cannot find a single reference to the
    viral executible suggest to me it is as yet undocumented.

    I had a major panic with it yesterday as with impeccable timing the effects
    of the infection hit the last working day before I am due to go on 1 weeks
    holiday. I can't do anything now until return.

    thanks for the feedback- everyone

    K
     
    Keith, Oct 16, 2004
    #5
  6. Did you perform what I asked ?
    Have you ever heard of False Positives and False Negatives ?
    I can't tell you how many time one AV package flags a file while another has not.

    If you have NOT done what I asked, please do so.

    Dave




    | We have Symantec Antivirus Corporate 7.6 installed, and our definitions are
    | up to date. This, and the fact that I cannot find a single reference to the
    | viral executible suggest to me it is as yet undocumented.
    |
    | I had a major panic with it yesterday as with impeccable timing the effects
    | of the infection hit the last working day before I am due to go on 1 weeks
    | holiday. I can't do anything now until return.
    |
    | thanks for the feedback- everyone
    |
    | K
    |
    |
    | | > 1) Download the following three items...
    | >
    | > Trend Sysclean Package
    | > http://www.trendmicro.com/download/dcs.asp
    | >
    | > Latest Trend signature files.
    | > http://www.trendmicro.com/download/pattern.asp
    | >
    | > Adaware SE (personal free version)
    | > http://www.lavasoftusa.com/
    | >
    | > Create a directory.
    | > On drive "C:\"
    | > (e.g., "c:\New Folder")
    | > or the desktop
    | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    | >
    | > Download sysclean.com and place it in that directory.
    | > Dowload the signature files (pattern files) by obtaining the ZIP file.
    | > For example; lpt202.zip
    | >
    | > Extract the contents of the ZIP file and place the contents in the same
    | > directory as
    | > sysclean.com.
    | >
    | > 2) Update Adware with the latest definitions.
    | > 3) If you are using WinME or WinXP, disable System Restore
    | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    | > 4) Reboot your PC into Safe Mode
    | > 5) Using both the Trend Sysclean utility and Adaware, perform a Full
    | > Scan of your
    | > platform and clean/delete any infectors/parasites found. (a few
    | > cycles may be
    | > needed)
    | > 6) Restart your PC and perform a "final" Full Scan of your platform
    | > using both the
    | > Trend Sysclean utility and Adaware
    | > 7) If you are using WinME or WinXP,Re-enable System Restore and
    | > re-apply any
    | > System Restore preferences, (e.g. HD space to use suggested 400 ~
    | > 600MB),
    | > 8) Reboot your PC.
    | > 9) If you are using WinME or WinXP, create a new Restore point
    | > 10) Please report back your results
    | >
    | > Dave
    | >
    | >
    | >
    | >
    | >
    | >
    | > | > |
    | > | I have just recovered our small network from what I believe is an as yet
    | > | undocumented virus.
    | > |
    | > | Symptoms:
    | > | Poor network performance.
    | > | Jamming of internet access for the entire network when any infected
    | > machines
    | > | are present on the network.
    | > |
    | > | Unknown process: CSDATA32.EXE appears in the Windows XP Task List. There
    | > may
    | > | be multiple instances of the process, running under either or both the
    | > user
    | > | and System accounts. Killing all instances restores normal
    | > functionality.
    | > | (Processes under the System account have to be killed in Safe Mode).
    | > |
    | > | The executable will be found in %WinDir%\System32.
    | > |
    | > | I cannot find any references to this file on Symantec/Kaperski etc. The
    | > only
    | > | link I have found is this:
    | > |
    | > | http://forum.tiscali.nl/Forum11/HTML/000315.html
    | > |
    | > | in Dutch, and I cannot understand it.
    | > |
    | > | Who do you report this stuff too (I have kept a copy of csdata32.exe in
    | > a
    | > | RAR archive for submission)?
    | > |
    | > | Keith P.
    | > |
    | > |
    | >
    | >
    |
    |
     
    David H. Lipman, Oct 16, 2004
    #6
  7. only info i found was this
    O4 - HKCU\..\RunOnce: [Microsoft Data Machine] csdata32.exe
     
    =?Utf-8?B?am8=?=, Oct 17, 2004
    #7
  8. sorry this is from hijackthis
     
    =?Utf-8?B?am8=?=, Oct 17, 2004
    #8
  9. Keith

    AndyMac Guest

    I have just recovered our small network from what I believe is an as yet
    I don't think it's anything new, probably Win32.RBOT.Worm
    http://castlecops.com/suweek.html

    Submit it to virustotal.com and you will probably see this in the results.

    AndyMac.
     
    AndyMac, Oct 20, 2004
    #9
  10. Keith

    Keith Guest

    David:
    -
    Returned from my holiday now and yes, I have done as you suggested.

    AdAware turned up various malwares etc. not detected by Spykiller (Webroot)
    which is installed on several machines.

    The Trend Sysclean package found SIRCAM on our server (apparently protected
    by NAV Coorporate 7.6 (with daily updated definitions).

    'Sysclean' failed to reveal the registry entries or executibles of the
    WORM_WOOTBOT.AW infection - which I now understand is the source of the
    CSDATA32.EXE process - on any machine, perhaps because I had deleted the
    associated executible. Having disconnected all machines from the network,
    installed the software, scanned etc. and then one by one reconnected them,
    we found one immediately caused another outbreak, despite scanning clean
    with NAV 7.6 and Sysclean. This time the viral process was VGCNTFY.EXE,
    which is the result of W32.SpyBot worm (Symantec) infection. (I gather one
    of boss's son's put Kazaa on his laptop - ... ARRGGG).

    We seem to be OK now, I am looking for a change of antivirus solution

    Thanks

    Keith
     
    Keith, Oct 25, 2004
    #10
  11. Sounds like a commercial where an employee's kid puts a worm on the LAN using dad' PC -
    Cisco commercial ? :)

    Glad to hear that you have the LAN cleaned.

    Now its time to create a Security Doctrine protecting company assets in accordance with
    employees who have notebooks. Not happy to hear NAV failed to protect it however.

    Dave



    | David:
    | -
    | Returned from my holiday now and yes, I have done as you suggested.
    |
    | AdAware turned up various malwares etc. not detected by Spykiller (Webroot)
    | which is installed on several machines.
    |
    | The Trend Sysclean package found SIRCAM on our server (apparently protected
    | by NAV Coorporate 7.6 (with daily updated definitions).
    |
    | 'Sysclean' failed to reveal the registry entries or executibles of the
    | WORM_WOOTBOT.AW infection - which I now understand is the source of the
    | CSDATA32.EXE process - on any machine, perhaps because I had deleted the
    | associated executible. Having disconnected all machines from the network,
    | installed the software, scanned etc. and then one by one reconnected them,
    | we found one immediately caused another outbreak, despite scanning clean
    | with NAV 7.6 and Sysclean. This time the viral process was VGCNTFY.EXE,
    | which is the result of W32.SpyBot worm (Symantec) infection. (I gather one
    | of boss's son's put Kazaa on his laptop - ... ARRGGG).
    |
    | We seem to be OK now, I am looking for a change of antivirus solution
    |
    | Thanks
    |
    | Keith
    |
    |
    |
    | | > Did you perform what I asked ?
    | > Have you ever heard of False Positives and False Negatives ?
    | > I can't tell you how many time one AV package flags a file while another
    | > has not.
    | >
    | > If you have NOT done what I asked, please do so.
    | >
    | > Dave
    | >
    | >
    | >
    | >
    | > | > | We have Symantec Antivirus Corporate 7.6 installed, and our definitions
    | > are
    | > | up to date. This, and the fact that I cannot find a single reference to
    | > the
    | > | viral executible suggest to me it is as yet undocumented.
    | > |
    | > | I had a major panic with it yesterday as with impeccable timing the
    | > effects
    | > | of the infection hit the last working day before I am due to go on 1
    | > weeks
    | > | holiday. I can't do anything now until return.
    | > |
    | > | thanks for the feedback- everyone
    | > |
    | > | K
    | > |
    | > |
    | > | | > | > 1) Download the following three items...
    | > | >
    | > | > Trend Sysclean Package
    | > | > http://www.trendmicro.com/download/dcs.asp
    | > | >
    | > | > Latest Trend signature files.
    | > | > http://www.trendmicro.com/download/pattern.asp
    | > | >
    | > | > Adaware SE (personal free version)
    | > | > http://www.lavasoftusa.com/
    | > | >
    | > | > Create a directory.
    | > | > On drive "C:\"
    | > | > (e.g., "c:\New Folder")
    | > | > or the desktop
    | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    | > | >
    | > | > Download sysclean.com and place it in that directory.
    | > | > Dowload the signature files (pattern files) by obtaining the ZIP file.
    | > | > For example; lpt202.zip
    | > | >
    | > | > Extract the contents of the ZIP file and place the contents in the
    | > same
    | > | > directory as
    | > | > sysclean.com.
    | > | >
    | > | > 2) Update Adware with the latest definitions.
    | > | > 3) If you are using WinME or WinXP, disable System Restore
    | > | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    | > | > 4) Reboot your PC into Safe Mode
    | > | > 5) Using both the Trend Sysclean utility and Adaware, perform a
    | > Full
    | > | > Scan of your
    | > | > platform and clean/delete any infectors/parasites found. (a few
    | > | > cycles may be
    | > | > needed)
    | > | > 6) Restart your PC and perform a "final" Full Scan of your
    | > platform
    | > | > using both the
    | > | > Trend Sysclean utility and Adaware
    | > | > 7) If you are using WinME or WinXP,Re-enable System Restore and
    | > | > re-apply any
    | > | > System Restore preferences, (e.g. HD space to use suggested 400
    | > ~
    | > | > 600MB),
    | > | > 8) Reboot your PC.
    | > | > 9) If you are using WinME or WinXP, create a new Restore point
    | > | > 10) Please report back your results
    | > | >
    | > | > Dave
    | > | >
    | > | >
    | > | >
    | > | >
    | > | >
    | > | >
    | > | > | > | > |
    | > | > | I have just recovered our small network from what I believe is an as
    | > yet
    | > | > | undocumented virus.
    | > | > |
    | > | > | Symptoms:
    | > | > | Poor network performance.
    | > | > | Jamming of internet access for the entire network when any infected
    | > | > machines
    | > | > | are present on the network.
    | > | > |
    | > | > | Unknown process: CSDATA32.EXE appears in the Windows XP Task List.
    | > There
    | > | > may
    | > | > | be multiple instances of the process, running under either or both
    | > the
    | > | > user
    | > | > | and System accounts. Killing all instances restores normal
    | > | > functionality.
    | > | > | (Processes under the System account have to be killed in Safe Mode).
    | > | > |
    | > | > | The executable will be found in %WinDir%\System32.
    | > | > |
    | > | > | I cannot find any references to this file on Symantec/Kaperski etc.
    | > The
    | > | > only
    | > | > | link I have found is this:
    | > | > |
    | > | > | http://forum.tiscali.nl/Forum11/HTML/000315.html
    | > | > |
    | > | > | in Dutch, and I cannot understand it.
    | > | > |
    | > | > | Who do you report this stuff too (I have kept a copy of csdata32.exe
    | > in
    | > | > a
    | > | > | RAR archive for submission)?
    | > | > |
    | > | > | Keith P.
    | > | > |
    | > | > |
    | > | >
    | > | >
    | > |
    | > |
    | >
    | >
    |
    |
     
    David H. Lipman, Oct 25, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.