One of the keys to fixing problems with PCs is looking in the more obvious places for problems. On such example occurred when a users’ computer was on the network but yet was unable to transfer data or use the Internet – but will still connected based on every obvious cue. I was somewhat perplexed until I found an answer. Using this method in certain cases can disable a network interface entirely (while still maintaining the ‘connected’ state). Conventional admin tools will fail you in most cases.

A warning though, if you do this – you may render the network interface of your computer unusable and, even worse not know how to get it back. Tread lightly here.

The Trick
Key to this is setting the MAC Address of the computer’s Network Card to all zeros. You’ll find the network card in Windows doing this (one of the many ways):

1. Using the keyboard type Windows + R to open the Run… window

2. In the run window type: ncpa.cpl to open the network interfaces

3. Right click on the interface you want to effect and click Properties, then click on the Configure… button

4. You should be in the adaptor’s configuration window – look for “Network Address” or “Address” or perhaps “MAC Address”. Not all drivers expose these options, and some still won’t even allow this change. You want to set the Value to twelve zeros, or 000000000000. It looks like this:

This option is exploited by way of a virus when the virus does this:
1. Get the GUID of the network adaptor (found by normal means with a net config rdr)
2. With the GUID (such as 3DFD1264-7795-46A9-9DCA-FF65FFBE1784) find that GUID under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class in the registry
3. Modify the “NetworkAddress” entry in the resulting subkey
All of these are done by way of enumerating and manipulating the registry fairly easily with a Windows program.

A reboot may be necessary, but the resulting effect on the network interface is either no packets traveling to the switch/router or being outright rejected. Even more troubling is that Windows XP/Vista/7 does not notify the user that such an unusual MAC address has been set on the interface.

Returning the interface
To get things back to the factory-set MAC Address, simply follow the above steps and set the NetworkAddresss value in the Network Interface’s properties to “Not Present” and the card will revert back. If doing this in the registry, deleting the NetworkAddress key and value (or just the string of zeros) had the same effect.