NETBUS

NetBus pro 2.0 is the second most popular Trojan Horse program available to the public (Sub7 is #1). When you download a program from the internet, this one may be infected with Netbus.

Increased activity on TCP port 12345 -- best known as both the NetBus Trojan's default port and the port used for a Trend Micro antivirus product -- has the security community arguing as to who is responsible.

This is not a virus, but it is considered to be a trojan. It is also quite widespread and used frequently to steal data and delete files on peoples machines. It allows a hacker to access data and gain control over some Windows functions on remote computer system. This tool has client and server parts.

The server part is installed on a remote system to be accessed. Version 1.60 of NetBus server is a Windows PE file named PATCH.EXE. On execution the server part installs itself to Windows directory and it will be executed automatically during next Windows startup.

It can be an exe installer of itself, OR can be hidden inside a REAL setup.exe, usually planted in it and totally separate from whomever released the actual program. TROJ_NETBUS is the client component of the whole backdoor package and TROJ_SYSEDIT is the server component. The server component is used to infect a target computer and the client component is used to control a computer running the server component.

However, unlike other Backdoor Trojans, this backdoor package is not complete without the KEYHOOK.DLL file, (TROJ_NTBUS.54272) running in the infected system. The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it.

NetBus is not a virus, but it is considered to be a trojan. When the server part is called with '/noadd' command line it will be not started every time Windows starts. When '/remove' command is passed to server part, it removes itself from the system.

The client part allows to control the remote computer system where the server part is installed and activated. The client part has a dialog interface which allows to perform tricks (some of them are really nasty) on remote system and to receive/send data, text and other information.



It is easier to use than Back Orifice and is connected to Port 20034 (TCP), which is mostly blocked by firewalls. Main Window. Very hacker friendly. In fact, you don't have to be a hacker at all to figure this out! (That was the idea behind it, designed to be used by anyone, on anyone).

More than a prankster toy. It pretty much offers the same features as NetBus. however is a bit more flexible when it comes to editing the server program, and offers a slightly larger collection of destructive commands.

Below is a partial list of what this trojan (Netbus) can do:

• Monitor ALL of your online activity (purchases, chat, mail)
• Listen for keystrokes on remote system and save them to file
• Get a screenshot from remote computer
• Delete ANY of your files
• Put Return information about the target computer
• Record your Keystrokes (on and off-line)
• Open/Close your CD-ROM drive
• Print Documents
• Make click sounds every time a key is pressed
• Navigate you to unwanted and offensive web sites
• Edit your Registry
• Blocking certain keys on the remote system keyboard
• Redirect incoming connections
• Change Volume
• Change Desktop wallpaper
• Play sound files
• Turn off the speakers
• Password-protection management of the remote server
• Show, kill and focus windows on remote system

Some of the more publicised trojans are picked up by virus checkers (NetBus and BackOrifice for example) but there are thousands that aren't and never will be.

How it loads, where it hides

It will usually load up from the registry. Registry key commonly used by this malware:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices The previous versions of the server editor were much like server editor, they were meant to hide the server and perform destructive tasks.

Warning: To users whom have been scanned, either by our webpage scanner, or by our IRC bot, and were told they are infected. Please keep in mind, trojan loggers such as Jammer, AntiBO, and the like, are designed to trick potential hackers into thinking you are infected. This also has the same effect on our scanners.

If you are running such a program to log trojan connection attempts, then our scans may be seeing that, and not a trojan. For a true reading, please shut down the software and perform the scan again, then after getting true results, re-enable your trojan logger. You can remove this trojan manually from your computer. However, manual removal involves altering the Windows Registry.





This program was designed as a remote admin tool, more so than as a hackers tool, however it is still possible to hide the server on a victims computer and use it for abuse. The main difference between 2.1 and 2.0 is features, not the way it tries to hide. However the removal is similar with only slight differences.

WARNING: Before making ANY changes to your systems registry, you should backup your registry (using the Export command in the registry menu), and Do Not edit or delete anything Other than what is recommended here. To do this you will need to use a program called RegEdit. You can go to the Run command in your Start menu, and type regedit there to start the program.