NETBUS WHAT IS NETBUS? Netbus is a trojan. Read more about trojans here
Netbus is a remote administration hack tool which can be used to control other computers, with Netbus Server installed, through the Internet or a network. The hacker must have the Netbus Client installed.
It is important to be aware of the fact that the file PATCH.EXE, which is the server part of the program, may have another name. It is the person who sends the file who decides the name (e.g. setup.exe, icq_upda.exe, games.exe). The file will however be referred to as PATCH.EXE in this document.
Netbus will run on Windows 95/98 and WindowsNT.
Netbus allows a hacker to access the host computer through TCP/IP. The Netbus Server program can be distributed as any executable file, and once "logged on" to your machine the intruder can:
Open/close the CD-ROM once or in intervals (specified in seconds).
Show optional image. If no full path of the image is given it will look for it in the Patch-directory. The supported image-formats is BMP and JPG.
Swap mouse buttons – the right mouse button gets the left mouse button’s functions and vice versa.
Start optional application.
Play optional sound-file. If no full path of the sound-file is given it will look for it in the Patch-directory. The supported sound-format is WAV.
Point the mouse to optional coordinates. The intruder can even navigate the mouse on the target computer with his/her own!
Show a message dialog on the screen. The answer is always sent back to the intruder!
Shutdown the system, log off the user etc.
Go to an optional URL with the default web-browser.
Send keystrokes to the active application on the target computer! The text in the field "Message/text" will be inserted in the application that has focus. ("|" represents enter).
Listen for keystrokes and send them back to the intruder!
Get a screendump!
Return information about the target computer.
Upload any file to the target computer! With this feature it will be possible to remotely update Patch with a new version.
Increase and decrease the sound-volume.
Record sounds that the microphone catch. The sound is sent back to the intruder!
Make click sounds every time a key is pressed!
Download and delete any file from the target. The intruder chooses which file to download/delete in a view that represents the harddisks on the target!
Keys (letters) on the keyboard can be disabled.
Password protection management.
Show, kill and focus windows on the system.
Indications of infections
The netbus server program must be run on your computer before you are vulnerable for intrusion. The program can reside in any .exe-file, which you can get by mail, by downloading from an unsecure site on the Internet, from a file on a diskette or from the company network and server(s).
The server program installs itself in the Windows directory and puts the following strings in the registry:
HKEY_CURRENT_USER\PATCH HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run (Netbus v 1.60) HKEY_LOCAL_MACHINE\SOFWARE\ Microsoft\Windows\CurrentVersion\RunServices\Netbus Server Pro (Netbus v 2.0) You can not see the program in the task list or close-program list, but it starts every time Windows is started.
When the server program (Netbus v 1.60) is installed on your computer you will find the files PATCH.EXE ( the server part, approximately 470 kb in size) and KEYHOOK.DLL (which the PATCH.EXE extracts from within itself). You will find the files in the \WINDOWS\SYSTEM directory (if using Win95/98) or the \WINNT\SYSTEM32 directory (if using WinNT).
If you have Netbus v 2.0 the files are PATCH.EXE (approximately 624 kb) and NBHELP.DLL and you will find the files in the directory where PATCH.EXE was started.
Netbus v 1.6 use the TCP ports 12345 and 12346. It listens on port 12345 for a remote client and responds via port 12346. It will respond to a Telnet connection on port 12345 with its name and version number. Netbus v2.0 use the TCP port 20034 as default.
How do I remove Netbus from my PC?
The program BoDetect (Windows 95/98 and Windows NT) detects and removes Trojans. It removes the widespread Trojan programs Back Orifice and Netbus. Go to the trojans page to get BoDetect.
If you are an experienced user you may follow these steps to manually remove Netbus.
Click START|RUN Type REGEDIT and hit ENTER In the left window, go to the following key by clicking the "+" sign:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In the right window, look for a key that indicates that "patch.exe" is run. (NB! The file may be renamed. Please use caution.) Delete the key Exit the Registry Click START|RUN Type C:\WINNT\SYSTEM32\PATCH.EXE /REMOVE (if using WinNT) or C:\WINDOWS\SYSTEM\PATCH.EXE /REMOVE (if using Win95/98) In Explorer, remove the file Patch.exe and keyhook.dll from the WINNT\SYSTEM32 directory or the WINDOWS\SYSTEM directory.
Variants: Netbus v 1.2 Netbus v 1.53 Netbus v 1.60 Netbus v 1.70 Netbus v 2.0.
See also: BACKDOOR Trojan Horse Viruses.
