It has finally happened, last night I was infected with the net.net virus. I was searching some forums, not sure which ones, and out of no where java errors started exploding on my screen while images were loading. That is usually never a good sign and I knew something was up. I closed my browsers and opened task manager and saw some oddly named processes. Then a popup notice appeared saying “Windows defender” was deactivated… also not a good sign. I then turned to “msconfig” to see if any new items have been added to my startup. I saw “net” was now in my startup programs. I than went into my “system32″ folder and sorted by date to look for any files that have been created with the past few minutes. I saw a program by the name of “net.net” along with a dll file named “ernal32.dll” (notice the missing “k”) plus an executable file that’s name appeared to be random generated and all were created with in the same time frame, a minute apart, and very recently. I immediately moved the files to a different location and renamed them, just in case by some chance they were system files I didnt just want to delete them. I then removed the “net” from startup and rebooted. After reboot no new files were created.

Now before I go any further let me explain that I did not have a anti virus installed… I know… I know. Even my wife gave me crap about it. I did have trend installed at one point but then it expired and I upgraded my laptop to win7 and just never got around to it, and again I know, not an excuse. Well so I then proceeded to attempt to go and download “Microsoft Security Essentials”, I have heard actually some pretty decent things about it and thought I would give it a try but when going to the down load page I would get an II7 error saying the file did not exist. Umm… ok, that wouldnt be the first time I had problems downloading something from Microsoft so I went to Trend Micro and tried to use there online scan tool called Housecall. After downloading I tried to install it but then received some odd errors. I tried to then install spybot and that to failed saying that the site could not be contacted. At this point I knew something was very wrong and even though I removed the virus, at least I thought so, something was still not right. I checked my host file to see if any changes were made and found that in tact but saw a new ICS file has been created. Because I was short on time and didn’t want to deal with it all that point I did a system restore because I had no idea what else could have been changed in my system files. Luckily I had a restore point from the night before and I made no changes since then so I knew it would be ok to restore to that point. After the restore I was “mgically” able to download and install “Microsoft Security Essentials”. I scanned my laptop and found one virus and cleaned it out. I did also run “Housecall” from Trendmicro which showed no infections.

What was probably the most disturbing about this was that besides going to a webpage (a legit web dev forum) there was no other interaction needed for this virus to do its work. Most of the time I see people with popups or some other request for interaction. This required none of that. Even though I have seen it before his is the first time I have had this happen to me so my lesson has been learned. It doesnt matter if your vigilant and careful when surfing the web or not, if you dont have an antivirus installed your at risk.

If you need more detail then what I provide on removing “net.net” you can find them every where… just Google it. But if you have a restore point then use that followed by a full system scan with a reputable antivirus. I chose “Microsoft Security Essentials” simply because it is free and even MS critics have nothing bad to say about it. Additionally you may want to use a free scanning service like Trends “Housecall” for a second opinion. I have always been a big fan of Spybot as well, for spyware though, not viruses.

Posted in Other Tech Tags: net.net, virus No Comments »