INTERNET SECURITY
[ EN ] Sorry for my poor English! Sayfanın Türkçe Versiyonu
What are the net-trojans ?A net-trojan is a program that is designed to hide itself inside a target host in order to allow the installing user access to the system at a later time without using normal authorization or vulnerability exploitation. Nowadays we see frequently two trojans called "Back Orifice (BO)" and "NetBus". So, I will explain these trojans below.
What can the net-trojans do ?
Once installed it allows anyone who knows the listening port number and trojan password to remotely control the host. Intruders access the trojan server using either a text or graphics based client. The server allows intruders to execute commands, list files, start silent services, share directories, upload and download files, manipulate the registry, kill processes, list processes, as well as other options without your permission.
How can we find and remove the net-trojans ?
If you have not experience with Registy Editor, than please get help from someone!
Firstly,copy USER.DAT and SYSTEM.DAT files in Windows directory to another directory for safety.Finding and Removing Back Orifice (BO) Trojan
The BO server will do several things as it installs itself on a target host:
* Installs a copy of the BO server in the system directory (c:\windows\system) either as " .exe" or a
user specified file name.
* Create a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
with the file name of the server file name and a description field of either "(Default)" or a user
specified description.
Remove Steps:
1. Start the registry editor program (c:\windows\regedit.exe).
2. Access the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
3. If you find " .EXE" key description than delete this immediately.
4. Restart the Windows. (in this way the trojan can not be activated)
5. Start the Windows Browser and goto Windows\System directory. Find nonamed executable file
seems to like this: " .EXE" and delete the file. (File lenght: 122 kBytes apprx)
6. Find and remove WINDLL.DLL file in same directory.
7. Congratulations! You have been removed BO trojan.
You may possible to see different executable names here. If you want to correct this and search probable trojan files do this: Start\Find\Files and Directories menu, set search directory as "c:\windows\system" and goto advanced search and type "bofile" text as search text. If any file is found then write down file name(s).After that find file(s) in above registry key and delete together.Finding and Removing NetBus Trojan
The NetBus server will do several things as it installs itself on a target host:
* Installs a copy of theNetBus server in the windows directory (c:\windows) either as "patch.exe" or
* Create a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
with the file name of the server file name and a description field of either "(Default)" or a user
specified description.
Remove Steps:
1. Start the registry editor program (c:\windows\regedit.exe).
2. Access the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
3. If you find "PATCH.EXE" key description than delete this immediately.
4. Restart the Windows. (in this way the trojan can not be activated)
5. Start the Windows Browser and goto Windows directory. Find PATCH.EXE file and delete the file.
(File lenght: 4?? kBytes)
6. Congratulations! You have been removed NetBus trojan.
NOW, CHANGE ALL NET PASSWORDS! Someone maybe use your net passwords!How can we protect against net attack ?
I recommend to upload WinSocks with new versions from Microsoft's official site.
If you use Windows95 upgrade it to Windows98 which is safer than Windows95.
DO NOT RUN SUSPICIOUS FILES!
DO NOT DOWNLOAD FILES IN SUSPICIOUS SITES!