Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 207
  • Last Modified:

Has anybody come accross spyware/malware called XNET666?

I am having a problem with the DNS server on my network (single server running 2003 standard). The DNS server appears to be running perfectly but when I try to access the console I get an error syaing that I cannot connect.

To cut a long story short I have raised a Microsoft support call on this issue and they asked me to send them a netmon trace. They came back to me and said the netmon trace contained a reference to a website called XNET666 and they believe there is some spyware or possibly a Denial of Service application being run from our server.

Now, i have run an adaware scan, a microsoft anti spyware scan, a Macafee Virus Scan 8 full system scan, a full registry and file search and can't find any reference to XNET666. I have also had a look on the internet and the few websites that mention it are all in German.

So, here are my questions....

1. Does anybody know anything about XNET666, what it does and how you get rid of it?

2. Can anyone recommend any anti spyware/malware programs (either free or commercial) which may be more effective than the 2 which I have tried.

Hope you can help

Cheers

Andy
0
metamatic
Asked:
metamatic
3 Solutions
 
r-kCommented:
I am not familiar with that specific problem, but you should be able to detect it with standard techniques. Here is what I suggest:

Download Autoruns.exe from:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

When you run it, it shows a bunch of things that start automatically. Open the "View" menu and select everything from "Show Appinit Dlls" to "Hide Microsoft Entries",then select Refresh and it will give you a new list of startups.

Examine that list carefully for anything suspicious. If you are sure, you can un-check the box next to it and reboot, then verify that it is still un-checked.

If you are not sure about what is suspicious, you can use File-> Save as.. to save the list to a text file and cut and paste it here so others can give you an opinion.

Good luck.
0
 
kneHCommented:
Never heard of it.

But as for most adware... I suggest giving hijackthis a go.
Might point you towards the problem

www.hijackthis.de

also if you are connecting to that website it should show up when you do
netstat -a
in DOS.

Lastly your firewall might be of assistance. If anything is going anywhere it should report it. Try removing all programs in the firewall and reboot the server.
Multiple programs should ask if they can connect. Examine those before passing them.
0
 
computerfixinsCommented:
Sounds like you were playing with irc :)  I could be wrong but xnet666 sounds like a botnet program...

I'd start with the freeware stuff first.

1.  First i'd try some packet sniffing        http://www.ethereal.com/
2.  Then maybe some process exploring http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
3.  If you find the offending file/files use bart pe to remove if your cant remove normally  http://www.nu2.nu/pebuilder/


What port/ports is it going out on, going to?  What ip's.  What is it sending?

You can always cirmcuvent the problem by adding the line :   127.0.0.1 XNET666.com in your hosts file.  

Whats the complete url or ip its going out to  XNET666.com or  XNET666.ro etc

          
Here's some info on url if its .com...doesnt look promising, you can also try sending a email to the DNS register to make sure the url is not hijacked...etc:)

Registration Service Provided By: Registerfly.com
Contact: support@registerflysupport.com
Visit: http://www.RegisterFly.com
      
Domain name: XNET666.COM

Registrant Contact:
   DeadMan
   Huslr NoLastName (hussla666@hotmail.com)
   +1.6666666666
   Fax:
   666DeadRoad
   Horrors, - 66666
   IQ

Admin
0
 
metamaticAuthor Commented:
Thanks for the input, folks.

It turned out that it was due to a PC on the network being infected with a variant of the rbot worm. Once I cleaned it off everything was fine.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now