Pisnaz Posted September 21, 2005 Share Posted September 21, 2005 Hey all I am looking for max distrubution of this.I have seen 4 of these attacks show up and am coming closer and closer to believing it is distributed through the internet/networks ala MSblast. From initial views (have not grabbed code yet) it appears to use the new.net tcp/ip layer as a payload contained in a viri of unknown form (trogan, worm etc).Symptoms: No resolution of dhcp settings. (meaning it will not get an ip from the network but assign default ip range 169.x.x.x) On dial up will allow connection and possibly a few sec of access then dump. It also can be found through appearences of New.net errors on boot, and disabling of antivir programs.Detection:start/run winmsdlook under components/network/protocol for new.net tcp and udp entries (should be very top entry)Removal:start/run/cmdnetsh winsock reset [enter]netsh int ip reset (c:\resetlog.txt) ()=optionalrestartrenable antivir prog if required, remove new.net.dll fromstartup (msconfig)As I said I have seen this in 4 systems already since Saturday, and know at least 2 were on an internal network behind a router and it may of passed from one to another via lan.Any questions send me a mail. If anyone needs a removal tool I have one created, and ready for deployment. It can be used with no adverse effects. The above guidelines have only been tested on win xp but i believe they will also work on win2k (winmsd will work). For 9x systems I reccemond trying to grab a older copy of the winsock installer and go that route (ala old school).Pisnaz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now