Netbus Trojan
Description
    Review date: 06.04.2009

NetBus pro 2.0 is the second most popular Trojan Horse program available to the public (Sub7 is #1). When you download a program from the internet, this one may be infected with Netbus. This remote administration trojan program is similar to Back Orifice.

Increased activity on TCP port 12345 -- best known as both the NetBus Trojan's default port and the port used for a Trend Micro antivirus product -- has the security community arguing as to who is responsible. Like SubSeven it has numerous features that allow the intruder to completely control the victim computer. Netbus also allows others to change and steal your passwords, run or delete files, reboot your computer.

This is not a virus, but it is considered to be a trojan. It is also quite widespread and used frequently to steal data and delete files on peoples machines. It sets up software in your computer that acts as a server to the cracker at a remote client. The Netstat tool will tell you if NetBus is installed if you issue the command 'netstat -an It allows a hacker to access data and gain control over some Windows functions on remote computer system. This tool has client and server parts. You will notice that the server is running on the default ports 12345 and 12346.



The server part is installed on a remote system to be accessed. Version 1.60 of NetBus server is a Windows PE file named PATCH.EXE. On execution the server part installs itself to Windows directory and it will be executed automatically during next Windows startup.

It can be an exe installer of itself, OR can be hidden inside a REAL setup.exe, usually planted in it and totally separate from whomever released the actual program. TROJ_NETBUS is the client component of the whole backdoor package and TROJ_SYSEDIT is the server component. The server component is used to infect a target computer and the client component is used to control a computer running the server component. The signature detects a response on port 1983/TCP that may indicate a backdoor program running on your network.



Whack-a-mole is a modifed version of NetBus trojan. Windows 95, 98 and NT are affected. Besides, the following ports 12361 and 12362 are used to establish its connection between the "victim" and server.

There are two ways to remove NetBus, depending on what version you use. However, unlike other Backdoor Trojans, this backdoor package is not complete without the KEYHOOK.DLL file, (TROJ_NTBUS.54272) running in the infected system. The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it.

NetBus is not a virus, but it is considered to be a trojan. When the server part is called with '/noadd' command line it will be not started every time Windows starts. When '/remove' command is passed to server part, it removes itself from the system.

The client part allows to control the remote computer system where the server part is installed and activated. The client part has a dialog interface which allows to perform tricks (some of them are really nasty) on remote system and to receive/send data, text and other information.



List of other trojan:

  • Backdoor.BO (aka Backorifice)
  • Backdoor.DeepThroat
  • Phase aka Phase Server
  • Trojan.Win.BuggyShell
  • Trojan.Win.Heckler
  • Trojan.Win32.AntiBTC

It is easier to use than Back Orifice and is connected to Port 20034 (TCP), which is mostly blocked by firewalls. Main Window. Very hacker friendly. In fact, you don't have to be a hacker at all to figure this out! (That was the idea behind it, designed to be used by anyone, on anyone). Network packet captures indicate that the password scheme is padded by one byte.

This Win32 based Trojan program can affect Windows 95, Windows 98 and Windows NT systems. It pretty much offers the same features as NetBus. however is a bit more flexible when it comes to editing the server program, and offers a slightly larger collection of destructive commands.

Below is a partial list of what this trojan (Netbus) can do:

  • Monitor ALL of your online activity (purchases, chat, mail)
  • Listen for keystrokes on remote system and save them to file
  • Get a screenshot from remote computer
  • Delete ANY of your files
  • Put Return information about the target computer
  • Record your Keystrokes (on and off-line)
  • Open/Close your CD-ROM drive
  • Print Documents
  • Make click sounds every time a key is pressed
  • Navigate you to unwanted and offensive web sites
  • Edit your Registry
  • Blocking certain keys on the remote system keyboard
  • Redirect incoming connections
  • Change Volume
  • Change Desktop wallpaper
  • Play sound files
  • Turn off the speakers
  • Password-protection management of the remote server
  • Show, kill and focus windows on remote system

Some of the more publicised trojans are picked up by virus checkers (NetBus and BackOrifice for example) but there are thousands that aren't and never will be.

How it loads, where it hides

It will usually load up from the registry. Registry key commonly used by this malware:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices The previous versions of the server editor were much like server editor, they were meant to hide the server and perform destructive tasks.

The Netbus 1.7 trojan - New Features:

  • Ultra-fast Port scanner.
  • Possibility to restrict access to IP Addresses

    • Screenshot: Online Scan Report

    Warning: To users whom have been scanned, either by our webpage scanner, or by our IRC bot, and were told they are infected. Please keep in mind, trojan loggers such as Jammer, AntiBO, and the like, are designed to trick potential hackers into thinking you are infected. This also has the same effect on our scanners.

    Like BO, the NetBus server can have practically any filename. If you are running such a program to log trojan connection attempts, then our scans may be seeing that, and not a trojan. For a true reading, please shut down the software and perform the scan again, then after getting true results, re-enable your trojan logger. You can remove this trojan manually from your computer. However, manual removal involves altering the Windows Registry.





    This security-breaking program was designed as a remote admin tool, more so than as a hackers tool, however it is still possible to hide the server on a victims computer and use it for abuse. The main difference between 2.1 and 2.0 is features, not the way it tries to hide. However the removal is similar with only slight differences.

    WARNING: Before making ANY changes to your systems registry, you should backup your registry (using the Export command in the registry menu), and Do Not edit or delete anything Other than what is recommended here. To do this you will need to use a program called RegEdit. You can go to the Run command in your Start menu, and type regedit there to start the program. Back Orifice doesn't do these things.

    You will have to use an antivirus software capable of detecting Netbus to ensure that you do not have this file anywhere else in your hard disk.

    NOTE: This information is supplied for educational purposes only. There are NO warranties with regard to this information.

What is Netbus Trojan?
  • NetBus was written by a Swedish programmer, Carl-Fredrik Neikter, in 1998. This trojan or backdoor is a remote control tool. That means, it opens a "Backdoor" to a PC, so that everybody can acces your PC from the network without your notice.

    Once downloaded, NetBus Pro 2.0 and with knowledge of certain passwords, an attacker can gain complete control of a system.

    Trojans are typically files with suffices like "ini", "exe", or "com". Once you're infected, you can spread the trojan to others without even being aware of it!

    Find here the answers to the most commonly asked questions about Netbus Trojan. Learn how to identify Internet threats and protect yourself online.
Related to Site Reviews
  • Top Firewall Software - Learn about the latest technologies. Besides, we rank the best personal firewall
  • Top 10 Antivirus Software - To read our top-ranked antivirus programs review and see how they work by
  • Free Registry Repair - How to fix the Windows registry and system file errors? Read insightful software
  • Top 10 Antispam - Latest news about new anti-spam products, protection, evaluations, tips and tricks
  • Free Spyware Remover - Looking for anti-spyware that really works? Here's you'll find reviews of the best
  • Subseven Trojan Review - To fight this problem, a spyware removal tool as is a firewall are helpful
2009 Internet Security - Sponsored Sites
VISIT THIS SPONSOR

Antivirus Software 2009 - Trend Micro Internet Security 2009 protects PCs from spyware, anti-phishing, virus, trojans and all other Internet threats. Best of all, it keeps intruders out and sensitive information in with a two-way firewall.
VISIT THIS SPONSOR

Firewall - ZoneAlarm Pro - The best way to secure your private information on your PC. Free services help you discover and recover from identity theft. ZoneAlarm Pro provides you with firewall with privacy protection. Scans for and removes thousands of spyware
VISIT THIS SPONSOR

AVG Antivirus with Anti-Spyware - AVG 8.5 brings a complete level of computer protection against the newest threats. It includes antivirus, firewall, with anti-spyware, and anti-spam. On top of that, the last major feature is a free support and