We help IT Professionals succeed at work.
Get Started

New infection "Network Control" - what we know, how to stop it early

1,858 Views
Last Modified: 2013-11-08
We got hit today by a new infection that presents itself as a program called "Network Control"
My wife was astute enough to ask before trusting new stuff so I caught it early.

Since nowhere else on the web seems to have seen it yet, I'm
capturing the facts for the next poor infectee...

What happens:
Pop-up
Claims it's trying to protect you from untrusted IP trying to install Zeus
grays out the screen
prevents task manager from launching
blanks start button
also:
Drops a folder called "c:\Network Control" with a single nc.exe file.
Inserts itself into startup registry entry
drops a file in the user's tree:  AppData\Local\Temp\0.6107574751685283.exe
(numbers may vary)
and drops a file on user desktop a.bat that deletes the file from the temp folder, then itself

REMEDIATION (IF you don't activate it by clicking on it):
Ctl-Alt-Del and you can switch user to kill process.
You could probably also shut down.
Don't reboot, he's already loaded to be there first thing.

If you have no alternate login, try booting from a bootable CD like ERD or UBCD4win and
deleting the C:\Network Control" folder
MAYBE could fix from safe mode... I'm not trying that include response if you try it

All that'll only work if you catch it
before the user clicks on the big green "Block Installation" button
which no doubt throws open the gates and welcomes all the malware you can carry.

Graphic included in attached jpg file.

REMEDIATION (If you activate it by clicking on it):
I haven't gone that far, don't intend to.  
If someone else does, they'll respond with answer.



Complete Text of Popup Window
=======================================
"Network Control" (with shield icon matching Microsoft's)
Remote software installation
Don't allow access unless you clearly understand what you are doing"
Your computer has received a request from the IP 195.3.129.107 to install Zeus software
Two Buttons:  Block installation and Allow installation

Under "More Information" it shows:
For your safety Network Control blocks actions initiated from not-trusted IP's.
Network Control is an addition, not a substitution to IP blocking software.  
If you keep receiving such warnings, it means that  your computer has
been chosen as victim by a group of scammers.  In this case you must
activate an IP blocking applicatoin, or install it in case it is not installed.
=====================================

a.bat file dropped on desktop:
=====================================
@echo off
:delcycle
del "C:\Users\USERNA~1\AppData\Local\Temp\0.6107574751685283.exe"
if exist "C:\Users\USERNA~1\AppData\Local\Temp\0.6107574751685283.exe" goto delcycle
del "a.bat"
=====================================

same temp folder had timestamp match on adobeARM.log and java_install_reg.log
java file uninteresting, but:

AdobeARM.log:
============================
[2010-07-28 16:32:18] Adobe ARM 1.4.5.0 logging started.
[2010-07-28 16:32:18] Command Line: /PRODUCT:Reader /VERSION:9.0 /MODE:2
[2010-07-28 16:32:18] ProductCode: {AC76BA86-7AD7-1033-7B44-A93000000001}
[2010-07-28 16:32:18] ProductName: Adobe Reader 9.3.3
[2010-07-28 16:32:18] ProductVersion: 9.3.3
[2010-07-28 16:32:18] ProductRegistry: SOFTWARE\Adobe\Acrobat Reader\9.0
[2010-07-28 16:32:18] ProductInstallDir: C:\Program Files\Adobe\Reader 9.0\
[2010-07-28 16:32:18] Found CommandLine preference AUTO_DOWNLOAD.
[2010-07-28 16:32:30] ArmUpdate record found.
[2010-07-28 16:32:30] Newer version ARM Update is not available.
[2010-07-28 16:32:30] No updates in Manifest for current product configuration.
[2010-07-28 16:32:30] InitSession produced no files, change state to NO Updates
[2010-07-28 16:32:30] ARM returns ERROR_SUCCESS
[2010-07-28 16:32:30] Adobe ARM 1.4.5.0 logging finished.
============================

ProductCode: {AC76BA86-7AD7-1033-7B44-A93000000001}
was scattered throughout registry, all associated with Adobe products


I'll post further information as it becomes available


 What the popup window looks like in the Network Control infection
Comment
Watch Question
Top Expert 2009
Commented:
This problem has been solved!
Unlock 4 Answers and 8 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE