Description

NewDotNet is a plugin for Windows that makes subdomains of new.net act as new top-level domains without changing the normal domain name resolution (DNS) servers.

NewDotNet comprises a Winsock2 Layered Service Provider (LSP) that makes the extra top-level domains visible, and an Internet Explorer Browser Helper Object (BHO) that redirects searches from the browser’s address bar to NewDotNet’s search engines at qsrch.com and the popup-filled search.findsall.info. The BHO also download updates from its controlling server at client.new.tech (aka client.new.tech.new.net) or upgrade.new.tech (upgrade.new.tech.new.net, upgrade.newdotnet.net).

Variants

NewDotNet/A is used as a classification for the older variants from the earliest known release 2.29 up to 3.36. In this variant the program files are stored in the Windows folder and there is no uninstall option.

The filename used by NewDotNet/A varies according to exact installed version. The following filenames have been observed:

newdotnet2_29.dll newdotnet2_32.dll newdotnet2_78.dll
newdotnet2_84.dll newdotnet2_90.dll newdotnet2_91.dll
newdotnet2_92.dll newdotnet2_98.dll newdotnet2_109.dll
newdotnet3_10.dll newdotnet3_14.dll newdotnet3_15.dll
newdotnet3_20.dll newdotnet3_21.dll newdotnet3_22.dll
newdotnet3_23.dll newdotnet3_36.dll

NewDotNet/B refers to versions from 3.70 onwards (released around the beginning of 2002). The ActiveX class ID is changed, the files are stored in the folder ‘NewDotNet’ in the Program Files folder, and there should usually be an uninstall option.

Filenames seen in use by NewDotNet/B include:

newdotnet3_70.dll newdotnet3_88.dll newdotnet4_34.dll
newdotnet4_50.dll newdotnet4_80.dll newdotnet4_85.dll
newdotnet4_88.dll newdotnet5_20.dll newdotnet5_40.dll
newdotnet5_48.dll newdotnet5_64.dll newdotnet6_10.dll
newdotnet6_22.dll newdotnet6_30.dll newdotnet6_34.dll
newdotnet6_38.dll

NewDotNet/FirstLook was a pop-up opening promotional tool for the new.net-owned site firstlook.com, distributed for a short period of time in 2002 by NewDotNet’s update feature. Following complaints the software was removed, but for a while a replacement inactive version and uninstaller firstlook.exe was distributed.

NewDotNet/QuickSearch/v1 is a simple search toolbar targeted at quick.qsrch.com. NewDotNet/QuickSearch/v3 adds a popup-blocking feature. NewDotNet/QuickSearch is included with NewDotNet bundles from May 2004 onwards. It is stored in its own Program Files folder ‘QuickSearch’; filenames seen in use include:

QuickSearchBar1_27.dll QuickSearchBar3_28.dll QuickSearchBar3_30.dll

Distribution

A very large range of software installs New.Net, including RealOne, AudioGalaxy, Kazaa, iMesh, Grokster, NeoNapster, BearShare, Babylon, Radlight and the FavoriteMan parasite.

What it does

Advertising

No, except for the withdrawn FirstLook variant.

Privacy violation

No.

Security issues

Yes. The new.net software downloads and silently executes arbitrary code from its controlling servers, as an update feature.

The QuickSearch variant also has a self-updating feature but initially prompts the user before installing.

Stability problems

Later versions of NewDotNet/A — at least versions 3.15 to 3.23 — regularly cause crashes in rundll32.exe. This seems to be fixed in NewDotNet/B.

As a Winsock2 LSP, removing NewDotNet improperly will result in loss of internet connectivity.

Removal

Open the Control Panel’s Add/Remove Programs list and use the entries for ‘New.net domains’ (B variant), ‘FirstLook’ (FirstLook variant) and ‘QuickSearch Toolbar’ (QuickSearch variant).

If these options are unavailable, try looking in the Windows folder and the Program Files\NewDotNet folder for an uninstaller. NewDotNet/B typically leaves uninstaller files here. There may be more than one; if so, try the installer with the highest version number in its name.

Manual removal

A and B variants

Manual removal is quite involved and easily botched, resulting in a loss of network connection. Be very careful.

Before the newdotnet[version number].dll file can be deleted, it must be removed from the Winsock2 LSP chain. CounterExploitation’s tool LSPFix can do this for you. Download it, run it and tell it to Remove newdotnetN_NN.dll and Keep everything else.

[LSP removal can also be done by hand as a last resort but it’s very easy to get wrong. Instructions for the brave: open the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters. Open the subkey NameSpace_Catalog5\Catalog_Entries and check each subkey’s LibraryPath value on the right. If it points to newdotnetN_NN.dll, delete that subkey. Renumber the remaining subkeys so that they are contiguous (ie. 000000000001, 000000000002 etc. with no gaps) and set the value of the Num_Catalog_Entries value inside the NameSpace_Catalog5 key to the highest number reached. Next do the same for Protocol_Catalog9\Catalog_Entries. Remove subkeys where the PackedCatalogItem value, when opened, has the full file path of newdotnetN_NN.dll at the start; don’t be fooled by entries that merely have the name ‘newdotnet’ scattered about the value. Often the subkeys involved are the first two and last two. Renumber the subkeys contiguously and set the New_Catalog_Entries value in Protocol_Catalog9 to the same number (decimal, not hexadecimal) as the last entry.]

Having now removed the LSP, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and delete the subkey ‘{DD770A75-CE18-11D5-98D8-00E018981B9E}’ (A variant) or ‘{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}’ (B variant).

B variant

Now you must delete the entry NewDotNet uses to regenerate itself on startup. NewDotNet protects this entry, so to delete it, restart the computer in Safe Mode (hammer F8 during start-up, just before Windows starts to load, then choose Safe Mode from the menu) and open the registry. Select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and, on the right, delete the entry ‘New.net startup’ pointing to rundll32.

A and B variants

Now restart the computer normally and you should be able to delete the NewDotNet folder (B variant) or the newdotnet DLL in the Windows directory (A variant). You can also delete the registry keys HKEY_LOCAL_MACHINE\Software\new.net and HKEY_CURRENT_USER\Software\New.net to clean up if you like, along with HKEY_CLASSES_ROOT\Tldctl2.URLLink[.1] and HKEY_CLASSES_ROOT\CLSID\{DD770A75-CE18-11D5-98D8-00E018981B9E} (A variant) or HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} (B variant)

FirstLook variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry ‘FirstLook’ pointing to firstlook.exe. Restart the computer and you should be able to delete the FirstLook folder in Program Files.

QuickSearch variant

First, find the filename for the current version of QuickSearch. Open the QuickSearch folder inside the Program Files folder and look for the highest-numbered file.

Open a Command Prompt window (click Start, open the Programs menu, Accessories submenu; called ‘DOS Prompt’ on Windows 95/98/Me) and type the following commands:

cd %WinDir%\System
regsvr32 /u "\Program Files\QuickSearch\QuickSearchBarN_NN.dll"

Replace N_NN with the version number you saw. You may also need to adjust this command for non-English Windows versions where the Program Files folder is not called ‘Program Files’.

Restart the computer and you should be able to delete the QuickSearch folder.

Database index...
Parasite home...

CC