The new NewDotNet

  • Thread starter Thread starter plun
  • Start date Start date
Hi Bill

Well, Ben Edelmans excellent page must be read also
from someone within MSAS team.

If newdotnet using a well known "bug" or security hole in IE
I would directly recommend removal for newdotnet.

And Adaware will probably detect it soon beacuse Eric L Howe is within
their sphere for advices as I understands it.

This is on the wrong side !

--
plun



It happens that Bill Sanderson formulated :
 
Hi Andy

Check Ben Edelmans review, everything is presented how this
"pest" is distributed and installed.
 
Hey Plun

Ive not checked out Ben Edelmans review of this but have installed it afew
times on my system as its been around for a long time, Aurora was in this
bundle but got removed about a month ago. The site I used open's and installs
a file called wmplayer.exe.tmp into the windows media player folder then
there is a EULA shown for PacerD Media, if you choose No then its not a
problem and will not install any junk but if you choose yes it starts the
bundled install , The next pop up is for a browser enhancement where its
already got a check in the box for allow, The only option is "Close This
Window" so if you press that without first unchecking the box it installs
more junk on the system ( Pacimedia's bundle got removed of the site last
week but I supect it will be back with a different bundle soon)

There's alot of problems in the bundle (Qoologic Trojan, Trojan Downloaders
(wintask.exe exp.exe - MSAS identifies these as Navidad Worm but they are
Trojan Downloaders) , Apropos, PacerD, SurfSideKick, SAHAgent, MediaAccess,
Elite and also a Rootkit hiding files and folders on the system) newdotnet
isnt that bad compared to some of the stuff and can be removed using the
add/remove screen. I know alot of this is installed without consent but from
the site I used for testing it did display a EULA for PacerD (Pacimedia) so
clicking no is all it takes to stop the bundled install and unchecking the
box on the Browser Enhancement pop up before closing that window.

MS Antispy does block the PacerDMedia install so you would also have to
allow it on the red alert warning pop up for it to be able to continue, Once
its installed there is alot of parts that isnt detected by MS Antispy but
thats the same for Ewido, Spybot and Ad-Aware, they all miss parts of the
bundled installation and parts will keep regenerating unless you use afew of
the scanners in safe mode and manually remove any remaining junk,
RootkitRevealer shows all the hidden files/folders and reg entries and
removing the device thats hiding the files from the drivers folder in safe
mode will stop them running and make them all visable so they can then be
removed, Other files are only visible after Hidden files and Folders are
enabled on the system.

Alot of the Antispy vendors will not touch newdotnet(new.net), Spybot has it
on thier defualt ignore list so it doesnt show in a scan, Adaware removed it
in January, Spysweeper & Spyware Doctor also dont detect it and MSAS has it
set to ignore. I think the main reason for this is because it will break the
LSP chain if not removed correctly which results in no internet connection,
Its alot easier to deal with new.net through the add/remove screen or even
using thier own uninstaller to prevent having to use LSPfix and rebuilding
the winsock stacks if the removal goes wrong.

As always its best to refuse to allow installs of anything thats not needed
especially when a EULA screen pops up from nowhere, same goes for Browser
Enhancements The browser works fine as it is so I wouldnt consider up to 10
different infections much of a enhancement :)

Andy
 
Spyware Doctor and ad-aware do not even detect.

I would hope that this default could be changed with the evidence of this
video, but I don't know what the process is for such a reconsideration.
 
I ... have installed it afew
times on my system as its been around for a long time ...
The site I used open's and installs
a file called wmplayer.exe.tmp into the windows media player folder then
there is a EULA shown for PacerD Media, if you choose No then its not a
problem and will not install any junk but if you choose yes it starts the
bundled install , The next pop up is for a browser enhancement where its
already got a check in the box for allow, The only option is "Close This
Window" so if you press that without first unchecking the box it installs
more junk on the system
Click to expand...

This is in some respects consistent with what I observed. Your
wmplayer.exe.tmp sounds ilke the security exploit I saw. And as you say,
installation occurs if users (very reasonably) press Close This Window
without unchecking the **unlabeled** box. What would your mother, friend,
or roommate do if presented with such a prompt?!

But I have to disagree with your claim that a EULA is shown. *NEVER* have I
seen Pacimedia affirmatively show a EULA.

Pacimedia generally delivers its exploit and bogus installer (per above)
about 10-30 seconds after an ActiveX installation attempt. The ActiveX
installation attempt does *link* to a EULA. But it doesn't "show" a EULA.
And in any event, at most sites that try to install PacerD, it would be a
tall order for a user to figure out that the EULA linked from the ActiveX is
in fact the EULA that (purportedly) also governs the software paradoxically
installed by the "Close This Window" dialog box.

In short: Users who press "Close This Window" have **not** seen a EULA, and
such users do not indicate any intention to install software or agree to any
EULA.

At least that's what I've repeatedly seen from PacerD, and that's what I
show in my video at http://www.benedelman.org/news/100505-1.html .


Ben Edelman
 
Wow... should be required reading for everyone that comes to these newsgroups
with a newly loaded Anti-spyware application and a big problem already
installed. Thanks for that work Ben. EYEopening to say the least. Now when
will MSAS stop ignoring this exploit?
Let's see if I can fix the link:

http://www.benedelman.org/news/100505-1.html

-- Regards, Dave
 
Hi Ben

I wasnt refering to your experience with this or trying to disagree with
your comment in anyway as Ive not yet checked out your video or site about
this but just thought Id share my experience with this bundle including the
kernal level driver thats hiding files and folders in normal mode by Apropos,

The site I was getting this bundle from for the past couple of months did
run the wmplayer.exe.tmp but always displayed a EULA before showing the
browser enhancement pop up. It also displayed one for eXact and they would be
shown when you pressed any pages included with alot of other pop ups for
DealBar and other junk. I fully agree most users would go for the close this
window button on the enhancement without realizing the box is checked to
allow the install,

I was just referring to what happens on that wallpaper site I used but I
appreciate they are scum and will trick users in anyway they can, Even though
they did show a EULA for pacerD they didnt give info on all the other
problems like Elite, SSK, Qoologic, MediaAccess, TrojanDownloaders, New.net
etc.. so I wouldn't try to defend them. The pacimedia bundles got pulled from
that Wallpaper site on the 8th of this month and was only showing eXact last
time I checked without the wmplayer file and I assumed they were just
changing the bundle but with you saying they don't display the EULA on the
sites from your video maybe they are moving to continue in the silent
installs as I cant see many people clicking ok on the EULA when its just
pop's up from nowhere.

Keep Up the great work

Regards

Andy
 
Back
Top