Pisnaz

Just posted a topic that may help http://www.msfn.org/board/index.php?showtopic=56396

Hey all I am looking for max distrubution of this. I have seen 4 of these attacks show up and am coming closer and closer to believing it is distributed through the internet/networks ala MSblast. From initial views (have not grabbed code yet) it appears to use the new.net tcp/ip layer as a payload contained in a viri of unknown form (trogan, worm etc). Symptoms: No resolution of dhcp settings. (meaning it will not get an ip from the network but assign default ip range 169.x.x.x) On dial up will allow connection and possibly a few sec of access then dump. It also can be found through appearences of New.net errors on boot, and disabling of antivir programs. Detection: start/run winmsd look under components/network/protocol for new.net tcp and udp entries (should be very top entry) Removal: start/run/cmd netsh winsock reset [enter] netsh int ip reset (c:\resetlog.txt) ()=optional restart renable antivir prog if required, remove new.net.dll from startup (msconfig) As I said I have seen this in 4 systems already since Saturday, and know at least 2 were on an internal network behind a router and it may of passed from one to another via lan. Any questions send me a mail. If anyone needs a removal tool I have one created, and ready for deployment. It can be used with no adverse effects. The above guidelines have only been tested on win xp but i believe they will also work on win2k (winmsd will work). For 9x systems I reccemond trying to grab a older copy of the winsock installer and go that route (ala old school). Pisnaz

This is from way back in my memory but I believe when win XX systems see 2 network cards they default into a router type setup. I.E ICS. I use to do this before with my system and had major issues. You could try disabling the server and ICS services to see if it resolves the problem. I had it working but was only 1 system on a crossover and then to my modem. Pisnaz

G-day, Wow I totally missed this until I started googling but it can be done. This is exactally how I have my home system running. I use Sol (server optimized linux) it's pretty easy to use (xml config files:) and the latest ver has webmin already. To run to roaming profiles just do it through samba they have a wicked howto online and I have seen a few others out there also. google roaming pprofiles with samba. or look at samba.org. BTW win 2k03 is evil I personally feel. It has attempted to bring the server config/admin world to the mass market as opposed to the niche it was in before. I can get a sol system after installation up and doing basic server functions in about 20 min, without rebooting lol. I have found a tiny issue with samab on my system but am pretty sure it lies in config and lack of time. FYI I run 1 *nix server. *nix media server, 3 XP Machines and have random machines come through for repair. I use samba shares, and an ftp server (for thoose big file transfers). My server also runs apache, a TS server, UT server and whatever else I feel like throwing at it. Sorry I am late, hope it helps. Pisnaz