NDotNet

Content

NDotNet

Type: Program
SubType
Discovery Date: 05/11/2005
Minimum DAT: 4489 (05/11/2005)
Updated DAT: 4689 (02/03/2006)
Minimum Engine: 5.1.00
Description Added: 05/11/2005
Description Modified: 02/06/2006 6:27 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It utilizes low-level integration with a system's networking to provide resolution of additional unofficial top-level domains (eg: .shop, .xxx, .inc, .tech, .med, and others) which are controlled by New.net. A Browser Helper Object (BHO) is installed in Internet Explorer and a new provider is added into the Layered Service Provider (LSP) stack. This BHO-LSP combination intercepts requested URLs containing applicable top-level domains and maps the requests to the appropriate new.net subdomain. Default address bar searches and 404 "page not found" errors are redirected to http://find.reliableresults.info .

This application may display a license agreement when installed (in some instances, such as a bundeled version of the Adware-Quickbar installer, no license agreement was shown). Although not observed during analysis, the agreement outlines both automatic upgrades and possible third party content or services being delivered via the software. The full text of the license agreement can be accessed on the author's website: http://www.new.net/policies_domaintc.tp#License .

Privacy

A privacy policy is not displayed during installation. Instead a URL is listed in a short section under the "Privacy" heading in the license agreement. The full text of the policy can be accessed on the publisher's website via the provided URL: http://www.new.net/policies_domaintc.tp#Policy . Collection of non-personally identifiable data (aggregate error state and usage data, along with search keywords entered) is mentioned. No direct evidence of such was observed during analysis, though it could be collected via the reliableresults.info search and error redirects.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

Installer: download.exe (396 KB)
MD5: 6FEAD881590D89D9583CFD95BD48D146
%SystemDir%\sporder.dll* (8 KB)
%WinDir%\ndnuninstall6_38.exe (49 KB)
MD5: 77C92713297C1C8B4F4C01C170C2BA89
C:\program files\newdotnet\
C:\program files\newdotnet\uninstall6_38.exe (49 KB)
MD5: 77C92713297C1C8B4F4C01C170C2BA89
C:\program files\newdotnet\readme.html (6 KB)
C:\program files\newdotnet\newdotnet6_38.dll (224 KB)
MD5: B8D2EA737777A3313A3B6FA5251FDC72
C:\documents and settings\(username)\cookies\(username)@www.new[#].txt (1 KB)

Registry (most significant/high-level)

The following registry keys are created:

NOTE: The keys added under WinSock2\Parameters may vary in their numbering and/or values depending on the state of the LSP stack at the time of installation.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"StoresServiceClassInfo"="0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"Version"="393254"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"Enabled"="1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"SupportedNameSpace"="12"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"ProviderId"="60-80-5F-3B-E1-1A-D4-11-96-6F-00-E0-18-98-1B-9E"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"DisplayString"="New.net Name Space Provider"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
"LibraryPath"="C:\Program Files\NewDotNet\newdotnet6_38.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000019
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000018
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000017
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9\Catalog_Entries\000000000016
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"StoresServiceClassInfo"="0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"Version"="393254"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"Enabled"="1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"SupportedNameSpace"="12"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"ProviderId"="60-80-5F-3B-E1-1A-D4-11-96-6F-00-E0-18-98-1B-9E"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"DisplayString"="New.net Name Space Provider"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
"LibraryPath"="C:\Program Files\NewDotNet\newdotnet6_38.dll"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SOFTWARE\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\
Uninstall\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"New.net Startup"="(hex data)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_CURRENT_USER\Software\New.net
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_CLASSES_ROOT\Tldctl2.URLLink.1
HKEY_CLASSES_ROOT\Tldctl2.URLLink
HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}

The following registry keys are modified:

NOTE: The keys modified under WinSock2\Parameters may vary in their numbering and/or values depending on the state of the LSP stack at the time of installation.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5
"Num_Catalog_Entries"="4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\NameSpace_Catalog5
"Serial_Access_Num"="5"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9
"Num_Catalog_Entries"="19"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9
"Next_Catalog_Entry_ID"="1034"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\Protocol_Catalog9
"Serial_Access_Num"="14"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5
"Num_Catalog_Entries"="4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\NameSpace_Catalog5
"Serial_Access_Num"="5"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9
"Num_Catalog_Entries"="19"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9
"Next_Catalog_Entry_ID"="1034"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
\Parameters\Protocol_Catalog9
"Serial_Access_Num"="14"

Network Impact

Additional overhead in bandwidth due to communication with New.net servers for name resolution, automatic updates, or download of other third party content/services.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Aliases

N/A

McAfee > Theat Center > PUP Detail Page

Navigation

Utility Navigation

Content

NDotNet

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Tab Navigation

Characteristics

Removal

Aliases

Aliases

Threat Resources

Footer