NetBus trojan horse for Windows
| win-netbus-installed (1228) |  High Risk |
Description:
NetBus and NetBusPro are two of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. With the NetBus and NetBusPro backdoors and with knowledge of certain passwords, an attacker can gain complete control of a system.
Backdoor programs such as Netbus are advertised as simple remote management tools. However, these programs represent a serious threat to your network environment, as they are designed to subvert normal security measures used by the host system. All NetBus activity should be considered highly suspicious.
Consequences:
Gain Access
Remedy:
Identify the source and destination addresses and remove the NetBus or NetBus Pro program from the computer on which it is running.
To verify that NetBus or NetBus Pro is installed on a particular computer:
- From a DOS command prompt, type: netstat -an | find "12345"
- The computer may be infected with NetBus if the response is similar to one of the following entries:
TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING (NetBus is idle.)
TCP 127.0.0.1:12345 127.55.51.212:29223 ESTABLISHED (NetBus is active.)
Note: If you use netstat -a instead of -an, you can obtain the hostname instead of the IP address.
To remove NetBus from a computer:
CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.
- Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
- Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key.
- Locate and delete a value named SysEdit. This is the default NetBus server signature. Note: The SysEdit value may vary. If you cannot find this value, the computer may have NetBus 1.6 or later installed. See below to remove an installation of NetBus 1.6.
- Restart the computer.
- Delete the SysEdit.exe and KeyHook.dll files from your system. You can locate these files from the Windows NT Start menu by choosing Find, Files or Folders. After the registry entry and server executables are deleted, NetBus is no longer installed on the system.
To remove an installation of NetBus 1.6:
- From a DOS command prompt, type: telnet <your_hostname> 12345
- Type: Password;1;
- Then type: RemoveServer;1;
References:
- Internet Security Systems Security Alert #08: Windows Backdoors Update.
- PestPatrol Web site: NetBus.
- UltraAccess.net Web site: NetBus - Remote administration tool.
- CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
Platforms Affected:
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows XP
Reported:
Not available
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net