DescriptionTo purge Backdoor.Netbus from your computer, you need to delete the files associated with this trojan.
The impacts of Trojans can range from the benign to the extreme. In addition, some malicious software provide the option of using UDP or TCP, it is a hacker's favorite. NetBus pro 2.0 is the second most popular Trojan Horse program available to the public (Sub7 is #1). I There are now three versions of NetBus in circulation; version 1.5x (usually 1.53), version 1.6, and version 1.7. By default, the v1.70 server is named Patch.exe.
When you download a program from the internet, this one may be infected with Netbus. This remote administration trojan program is similar to Back Orifice.
Unlike viruses and worms, trojans don't replicate, but they can be very harmful and intrusive. Increased activity on TCP port 12345 -- best known as both the NetBus Trojan's default port and the port used for a Trend Micro antivirus product -- has the security community arguing as to who is responsible. Like SubSeven it has numerous features that allow the intruder to completely control the victim computer. Netbus also allows others to change and steal your passwords, run or delete files, reboot your computer.
This is not a virus, but it is considered to be a trojan. It is also quite widespread and used frequently to steal data and delete files on peoples machines. It sets up software in your computer that acts as a server to the cracker at a remote client. The Netstat tool will tell you if NetBus is installed if you issue the command 'netstat -an It allows a hacker to access data and gain control over some Windows functions on remote computer system. This tool has client and server parts. You will notice that the server is running on the default ports 12345 and 12346.
Here's some examples of files created by the malware are:
Windir\MSCOMCNFG.EXE (the backdoor)
Windir\KeyHook.dll (the keylogger, which is often detected as Netbus.W95.Trojan)
The server part is installed on a remote system to be accessed. Version 1.60 of NetBus server is a Windows PE file named PATCH.EXE. On execution the server part installs itself to Windows directory and it will be executed automatically during next Windows startup.
It can be an exe installer of itself, OR can be hidden inside a REAL setup.exe, usually planted in it and totally separate from whomever released the actual program. TROJ_NETBUS is the client component of the whole backdoor package and TROJ_SYSEDIT is the server component. The server component is used to infect a target computer and the client component is used to control a computer running the server component. The signature detects a response on port 1983/TCP that may indicate a backdoor program running on your network.
Whack-a-mole is a modifed version of NetBus trojan. Windows 95, 98 and NT are affected. Besides, the following ports 12361 and 12362 are used to establish its connection between the "victim" and server.
There are two ways to remove NetBus, depending on what version you
use. However, unlike other Backdoor Trojans, this backdoor package is not complete without the KEYHOOK.DLL file, (TROJ_NTBUS.54272) running in the infected system.
The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it.
NetBus is not a virus, but it is considered to be a trojan. When the server part is called with '/noadd' command line it will be not started every time Windows starts. When '/remove' command is passed to server part, it removes itself from the system.
The client part allows to control the remote computer system where the server part is installed and activated. The client part has a dialog interface which allows to perform tricks (some of them are really nasty) on remote system and to receive/send data, text and other information.
List of other trojan:
- Backdoor.BO (aka Backorifice)
- Phase aka Phase Server
It is easier to use than Back Orifice and is connected to Port 20034 (TCP), which is mostly blocked by firewalls. Main Window. Very hacker friendly. In fact, you don't have to be a hacker at all to figure this out! (That was the idea behind it, designed to be used by anyone, on anyone). Network packet captures indicate that the password scheme is padded by one byte.
This Win32 based Trojan program can affect Windows 95, Windows 98 and Windows NT systems. It pretty much offers the same features as NetBus. however is a bit more flexible when it comes to editing the server program, and offers a slightly larger collection of destructive commands.
Below is a partial list of what this trojan (Netbus) can do:
- Monitor ALL of your online activity (purchases, chat, mail)
- Listen for keystrokes on remote system and save them to file
- Get a screenshot from remote computer
- Delete ANY of your files
- Put Return information about the target computer
- Record your Keystrokes (on and off-line)
- Open/Close your CD-ROM drive
- Print Documents
- Make click sounds every time a key is pressed
- Navigate you to unwanted and offensive web sites
- Edit your Registry
- Blocking certain keys on the remote system keyboard
- Redirect incoming connections
- Change Volume
- Change Desktop wallpaper
- Play sound files
- Turn off the speakers
- Password-protection management of the remote server
- Show, kill and focus windows on remote system
Some of the more publicised trojans are picked up by virus checkers (NetBus and BackOrifice for example) but there are thousands that aren't and never will be.
How it loads, where it hides
It will usually load up from the registry.
Registry key commonly used by this malware:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices The previous versions of the server editor were much like server editor, they were meant to hide the server and perform destructive tasks.
The Netbus 1.7 trojan - New Features:
- Ultra-fast Port scanner.
- Possibility to restrict access to IP Addresses
Screenshot: Online Scan Report
Warning: To users whom have been scanned, either by our webpage scanner, or by our IRC bot, and were told they are infected. Please keep in mind, trojan loggers such as Jammer, AntiBO, and the like, are designed to trick potential hackers into thinking you are infected. This also has the same effect on our scanners.
Like BO, the NetBus server can have practically any filename. If you are running such a program to log trojan connection attempts, then our scans may be seeing that, and not a trojan. For a true reading, please shut down the software and perform the scan again, then after getting true results, re-enable your trojan logger. You can remove this trojan manually from your computer. However, manual removal involves altering the Windows Registry.
This security-breaking program was designed as a remote admin tool, more so than as a hackers tool, however it is still possible to hide the server on a victims computer and use it for abuse. The main difference between 2.1 and 2.0 is features, not the way it tries to hide. However the removal is similar with only slight differences.
WARNING: Before making any changes to your systems registry, you should backup your registry (using the Export command in the registry menu), and Do Not edit or delete anything Other than what is recommended here. To do this you will need to use a program called RegEdit. You can go to the Run command in your Start menu, and type regedit there to start the program. Back Orifice doesn't do these things.
You will have to use an antivirus software capable of detecting Netbus to ensure that you do not have this file anywhere else in your hard disk.
NOTE: This information is supplied for educational purposes only. There are NO warranties with regard to this information.
[November 17, 2013]
The Netbus Trojan - What's New?
We started hearing about a new virus: the Stunext, a Trojan Worm. This malware enables to target industrial control systems.
In addition to that, W32.Stuxnet has revealed a total of four zero-day vulnerabilities. The primary purpose of this worm is to take control of industrial facilities.
Trojans can communicate in several different ways. Unlike a virus or worm, they cannot spread themselves. NetBus was written by a Swedish programmer, Carl-Fredrik Neikter, in 1998. This trojan or backdoor is a remote control tool. That means, it opens a "Backdoor" to a PC, so that everybody can acces your PC from the network without your notice. Once downloaded, NetBus Pro 2.0 and with knowledge of certain passwords, an attacker can gain complete control of a system.
Trojans are typically files with suffices like "ini", "exe", or "com". Once you're infected, you can spread the trojan to others without even being aware of it! Not all Trojans were designed for the same purpose. Here, you will find here the answers to the most commonly asked questions about Netbus Trojan. Learn how to identify Internet threats and protect yourself online.
Spam email is all that annoying junk that falls into your inbox
Secure USB Device
Introducing the first plug and play secure remote file access
Our information site provides both independent and free recommendations and ratings of online software and services.
Whenever possible, we test each product and can receive advertising revenue from makers of security applications we review. The comments expressed are our own.
You can also decide to follow us on Twitter and Facebook to keep up with the latest announcements about web applications techniques on your favorite topics.