NetBus pro 2.0
is the second most popular Trojan Horse program available to the
public (Sub7 is #1).
When you download a program from the internet, this one may be infected with Netbus.
This is not a virus, but it is considered to be a trojan. It is also quite widespread and used frequently to steal data and delete files on peoples machines.
It allows a hacker to access data and gain control over some Windows functions on remote computer system.
This tool has client and server parts. The server part is installed on a remote system to be accessed. Version 1.60 of NetBus server is a Windows PE file named PATCH.EXE. On execution the server part installs itself to Windows directory and it will be executed automatically during next Windows startup.
...
It can be an exe installer of itself, OR can be hidden inside a REAL setup.exe, usually planted in it and totally separate from whomever released the actual program.
TROJ_NETBUS is the client component of the whole backdoor package and TROJ_SYSEDIT is the server component. The server component is used to infect a target computer and the client component is used to control a computer running the server component.
However, unlike other Backdoor Trojans, this backdoor package is not complete without the KEYHOOK.DLL file, (TROJ_NTBUS.54272) running in the infected system.
The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it. NetBus is not a virus, but it is considered to be a trojan. When the server part is called with '/noadd' command line it will be not started every time Windows starts. When '/remove' command is passed to server part, it removes itself from the system.
The client part allows to control the remote computer system where the server part is installed and activated. The client part has a dialog interface which allows to perform tricks (some of them are really nasty) on remote system and to receive/send data, text and other information.
It is easier to use than Back Orifice and is connected to Port 20034 (TCP), which is mostly blocked by firewalls.
More
than a prankster toy
It
pretty much offers the same features as NetBus.
however is a bit more flexible when it comes to editing the
server program, and offers a slightly larger collection of destructive
commands.
Below
is a partial list of what this trojan can do.
-
Monitor
ALL of your online activity (purchases, chat, mail)
- Listen for keystrokes on remote system and save them to file
- Get a screenshot from remote computer
- Delete
ANY of your files
- Put
Return information about the target computer
- Record
your Keystrokes (on and off-line)
- Open/Close
your CD-ROM drive
- Print
Documents
-
Make click sounds every time a key is pressed
- Navigate
you to unwanted and offensive web sites
- Edit
your Registry
- Blocking certain keys on the remote system keyboard
- Redirect
incoming connections
- Change
Volume
- Change
Desktop wallpaper
-
Play
sound files
- Turn
off the speakers
- Password-protection management of the remote server
- Show, kill and focus windows on remote system
- Etc...
Main Window. Very hacker friendly. In fact, you don't have to be
a hacker at all to figure this out! (That was the idea behind it,
designed to be used by anyone, on anyone)
Spy functions. The hacker can pretty much see everything you see
and record your keystrokes, voice, chat, etc. If you have a webcam
the hacker can also watch you.
Keystroke recorder.
Allows the hacker to copy, delete, rename and run
any file on your computer. Once again, very user friendly.
How
it loads, where it hides
It will usually load up from the registry.
Registry
key
commonly used by this malware:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The previous versions of the server editor were much
like server editor, they were meant to hide the server and
perform destructive tasks.
Notice: To users whom have been scanned, either by our webpage scanner, or by our IRC bot, and were told they are infected.
Please keep in mind, trojan loggers such as Jammer, AntiBO, and the like, are designed to trick potential hackers into thinking you are infected. This also has the same effect on our scanners.
If you are running such a program to log trojan connection attempts, then our scans may be seeing that, and not a trojan.
For a true reading, please shut down the software and perform the scan again, then after getting true results, re-enable your trojan logger. You can remove this trojan manually from your computer. However, manual removal involves altering the Windows Registry.
This program was designed as a remote admin tool, more so than as a hackers tool, however it is still possible to hide the server on a victims computer and use it for abuse. The main difference between 2.1 and 2.0 is features, not the way it tries to hide. However the removal is similar with only slight differences.
WARNING: Before making ANY changes to your systems registry, you should backup your registry (using the Export command in the registry menu), and Do Not edit or delete anything Other than what is recommended here. To do this you will need to use a program called RegEdit. You can go to the Run command in your Start menu, and type regedit there to start the program.
