NetBus

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Summary:	NetBus Pro is easier to use than Back Orifice and is connected to Port 20034 (TCP), which is mostly blocked by firewalls.
Vendor Notes:	NetBus Pro is an easy-to-use remote administration and spy tool. Functions: Server Admin (set password, close server, restrict access) Host Info (system info, cached passwords) Message Manager File Manager (create/delete folder, upload/download/delete file) Window Manager Registry Manager Sound System Balance Plugin Manager Port Redirect Application Redirect File Actions (execute file, play sound, show image, open document, print document) Spy Functions (keyboard listen, capture screen image, capture camera video, record sound) Exit Windows (logoff, poweroff, reboot, shutdown) Client chat Open/Close CDROM Keyboard (disable keys, key click, restore keys) Mouse (swap buttons, resore buttons) Go To URL Send Text
Alias:	Backdoor.Netbus.12, Backdoor.Netbus.153, Backdoor.Netbus.160.a, Backdoor.Netbus.160.b, Backdoor.Netbus.170, Backdoor.Netbus.170 [Kaspersky], Backdoor.Netbus.20, Backdoor.Netbus.20.b, Backdoor.Netbus.20.c, Backdoor.Netbus.20.d, Backdoor.Netbus.21, Backdoor.Netbus.21.a, Backdoor.Netbus.21.b, Backdoor/Netbus.170 [Computer Associates], Backdoor/Netbus_Server_family [Computer Associates], corrupted. [Kaspersky], security risk or a "backdoor" program [F-Prot], Trj/Netbus.170 [Panda], W32/NetBus.backdoor.494592.B [F-Prot], Win32.NetBus.170 [Computer Associates]
Category:	RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Key Logger: (Keystroke Logger). A program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a key logger will reveal the contents of all e-mail composed by the user. Keylog programs are commonly included in rootkits and RATs (remote administration trojans). Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.
Variants:	NetBus 1.20 NetBus 1.53 NetBus 1.6 NetBus 1.60 NetBus 1.70 NetBus 2.0 Netbus 2.0 Polish NetBus 2.0 Pro NetBus 2.0 Pro Beta NetBus 2.01 NetBus 2.01 Pro NetBus 2.1 a NetBus 2.1 b NetBus 2.9 Pro Netbus 2000 NetBus Pro 2.0 Netbus Pro 2.01 NetBus Pro 2.10 NetBus Ultima Client
Similar Pests:	RAT · Backdoor · Key Logger · Trojan
Origins
Author:	Carl-Fredrik Neikter
Programming Language:	Delphi
Date of Origin:	Variants from February, 1998 to March, 2005
Distribution
Prevalence:	NetBus: 0.1% NetBus 1.53: 0.8% NetBus 1.6: 0.2% NetBus 1.70: 0.4% NetBus 2.0: 0.1% NetBus 2.0 Pro: 0.4% Netbus Pro 2.01: < 0.00005% NetBus Pro 2.10: 0.3% More Info
Clot Factor:	NetBus: < 1 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	NetBus 1.53: Insufficient data to report growth NetBus Pro 2.10: Insufficient data to report growth
Operation
Platform:	Operating system: Windows 95/98, Windows NT4 or later versions of the Windows family. - Network: The network must support the TCP/IP protocol.
Default Port:	12345, 12346 TCP More info about ports.
Storage Required:	NetBus: at least 2345 KB NetBus 1.20: at least 3301 KB NetBus 1.53: at least 2617 KB NetBus 1.6: at least 3489 KB NetBus 1.70: at least 1241 KB NetBus 2.0: at least 649 KB Netbus 2.0 Polish: at least 21 KB NetBus 2.0 Pro: at least 5577 KB NetBus 2.0 Pro Beta: at least 9 KB NetBus 2.01: at least 5 KB NetBus 2.01 Pro: at least 1733 KB NetBus 2.1 a: at least 1745 KB NetBus 2.9 Pro: at least 33 KB NetBus Pro 2.0: at least 21 KB Netbus Pro 2.01: at least 1373 KB NetBus Pro 2.10: at least 1625 KB
Restart:	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Autostarting Pests
ScreenShot:

NetBus Pro 2.10

NetBus 2.0b Pro

NetBus 1.70 ESP

NetBus 1.60

NetBus 1.53

NetBus 1.20

Risks
Detection Issues:	Difficult to detect by design. May hide from process list. May install with variable names in variable locations.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Follow these steps to remove NetBus from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
	Stop Running Processes: Kill these running processes with Task Manager: about.exe core-netbus.pro.v2.01.exe killme.exe lramkit98br.exe mp_bus.exe mpower.exe nagbbs.exe nb2.0b.exe nb2.0f.exe nbpro201.exe nbpro210.exe nbsvr.exe netbus.exe patch.exe sysedit.exe systemroot+\wizjatv.exe
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: nbuninst.dll programfilesdir+\printscreen2000\_isreg32.dll
	Remove Files: Remove these files (if present) with Windows Explorer: _sys1.cab _sys1.hdr _user1.cab _user1.hdr about.dfm about.exe access.dfm access.pas addhost.dfm addhost.pas appredir.dfm appredir.pas chat.dfm chat.pas choose.dcu choose.dfm choose.pas core-netbus.pro.v2.01.exe data.dfm data.pas data.tag data1.cab data1.hdr default.lng domain.dcu domain.dfm domain.pas drivelist.dcu drivelist.pas events.txt fileact.dfm fileact.pas fileiterator.dcu fileiterator.pas filemgr.dfm filemgr.pas findhost.dfm findhost.pas fog.airraid.1728.com fog.airraid.330.com hostinfo.dfm hostinfo.pas hosts.txt image.dfm image.pas img.dcu img.dfm img.pas keydefs.dcu keydefs.pas keydll.dcu keydll.pas keyhook.dof keyhook.dpr keyhook.res killme.exe layout.bin listen.dcu listen.dfm listen.pas logg.dfm logg.pas lramkit98br.exe main.dcu main.dfm main.pas main2.dfm main2.pas memo.dcu memo.dfm memo.pas mp_bus.exe mpower.exe msg.dcu msg.dfm msg.pas msgmgr.dfm msgmgr.pas nagbbs.exe nb2.0b.exe nb2.0f.exe nbpro20.txt nbpro201.exe nbpro210.exe nbsvr.exe nbuninst.dll net1.7onc.txt netbus.cnt netbus.dof netbus.dpr netbus.exe netbus.hlp netbus.res netbus.rtf onxp.txt patch.exe pestpatrolnet1.7.txt plugin.dfm plugin.pas polish.lng portredir.dfm portredir.pas programfilesdir+\printscreen2000\_isreg32.dll pwd.dfm pwd.pas readme.fuq read-me.html readme.txt recsound.dfm recsound.pas regdlg.dfm regdlg.pas register.dfm register.pas regmgr.dfm regmgr.pas schedule.dfm schedule.pas scktcomp.dcu scktcomp.pas screen.dfm screen.pas sendkey.dcu sendkey.dpr sendkey.pas sendkey.res sendkey2.dcu sendkey2.pas settings.dfm settings.pas setup.ins setup.pkg share.dfm shut.dcu shut.dfm shut.pas sound.dcu sound.dfm sound.pas splash.dfm splash.pas svrsetup.dfm svrsetup.pas sysedit.exe systemroot+\wizjatv.exe temp.dsk temp.wav temp1.dsk temp1.jpg temp1.wav transfer.dfm transfer.pas uninst.isu unit1.dcu unit1.dfm unit1.pas update.dfm update.pas volume.dcu volume.pas wave.dcu wave.pas webcam.dfm webcam.pas winmgr.dfm winmgr.pas ynbhelp.dpr
	Remove Directories: Remove these directories (if present) with Windows Explorer: programfilesdir+\printscreen2000
Research
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	April 03, 2005

NetBus

· Overview · · Origins · · Distribution · · Operation · · Risks · · Detection and Removal · · Research ·

Overview

Summary:

Vendor Notes:

Alias:

Category:

Variants:

Similar Pests:

Origins

Author:

Programming Language:

Date of Origin:

Distribution

Prevalence:

Clot Factor:

Growth:

Operation

Platform:

Default Port:

Storage Required:

Restart:

ScreenShot:

Risks

Detection Issues:

Detection and Removal

Automatic Removal:

Manual Removal:

Research

More Info:

Research By:

Last Revised:

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·