Malicious Attack... Windows registry??

Hi all,

yesterday I ran into an interesting issue with around 100 PCs in my network.

PCs could access all internal resources, however they could not browse to external sites at all. To make a long story short....we called Microsoft and found out that the registry parameters for TCP/IP were changed...the TTL value was set to 10.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)

After deleting this key and rebooting the PCs problem solved. Microsoft Tier3 never seem this before(according to the tech).

Anyway seem this before? Tx

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Kaminsky

Either you got a sh*t hot knowledable virus writer or you have a new boy configuring the PCs.

Put my money on rogue netcard driver installation software.

How the hell did they diagnose HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)

opers13

Kaminsky wrote:

Either you got a sh*t hot knowledable virus writer or you have a new boy configuring the PCs.

Put my money on rogue netcard driver installation software.

How the hell did they diagnose HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)

We have scanned the PCs with McAfee, Symantec and Trend...no virus. We use SMS and nothing got pushed to the PCs.

What do you mean by "rogue netcard driver installation software"????

Microsoft compared the bad tcp/ip and dhcp registry keys to working keys.