1. /
  2. Security Response/
  3. Adware.NDotNet

Adware.NDotNet

Updated:
February 13, 2007 11:43:39 AM
Type:
Adware
Version:
3.8
Publisher:
NewDotNet
Risk Impact:
Low
File Names:
Newdotnet3_88.dkk Nnezt388.exe NDNuninstall6_38.exe tldctl2.inf tldctl2.ocx newdotnet6_38.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.NDotNet is installed, it performs the following actions:
  1. Creates the folder %ProgramFiles%\NewDotNet, and copies files into it.

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the value:

    "New.net Startup" = "rundll32 C:\Progra~1\Newdot~1\Newdot~1.dll, NewDotNetStartup"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\New.net
    HKEY_LOCAL_MACHINE\SOFTWARE\New.net
    HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c.1
    HKEY_CLASSES_ROOT\Tldctl2.URLLink
    HKEY_CLASSES_ROOT\Tldctl2.URLLink.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{DD521A1D-1F98-11D4-9676-00E018981B9E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \ModuleUsage\C:/WINDOWS/Downloaded Program Files/tldctl2.ocx

  4. Modifies the following registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

    to insure that the risk is used whenever the internet is accessed.

  5. Attempts to automatically update itself.
  6. Adds the following files:

    %UserProfile%\DESKTOP\Get 100, 000 Emoticons!.url
    %UserProfile%\DESKTOP\Sherv.NET - Animated Emoticons, Winks, Display Pics and more!.url
    %UserProfile%\Favorites\Get 100, 000 Emoticons!.url
    %UserProfile%\Favorites\Sherv.NET - Animated Emoticons, Winks, Display Pics and more!.url
    %UserProfile%\Favorites\Free Weather Toolbar and Smileys!.url
    %UserProfile%\Favorites\Get 100, 000 Smileys and Emoticons.url
    %UserProfile%\Favorites\Sherv.NET - MSN Emoticons, Display Pics, Winks, and lots more!.url
    %UserProfile%\Favorites\Free Weather Toolbar adn Smileys!.url
    %UserProfile%\Start Menu\Get 100, 000 Smileys and Emoticons.url

    Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).


    Notes:
    • Adware.NDotNet runs as a Browser Helper Object, which means that the adware component receives information regarding all the actions inside Internet Explorer. This Browser Helper Object requires Internet Explorer 4.0 or later to function.
    • This adware component appears to track Internet usage habits, but without using any identification parameters. It does not appear to track personally identifiable information.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report