Netbus Detection and Removal
What's worse than a virus on your system? A program that gives control of your computer to someone connecting to it through the Internet.
A Swedish programmer named Carl-Fredrik Neikter has released a Windows95/98 trojan horse program named "Netbus." Netbus consists of a client program called Netbus which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Cult of the Dead Cow's "Back Orifice" program. As is the case with "Back Orifice," this program exploits security vulnerabilities in the Windows95 and Windows98 platform and does not function on Windows NT systems at the time of this advisory. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines.
The server program for the Netbus trojan horse can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided under the name of PATCH.EXE but exploiters of this trojan horse program are reminded that they should change the name of the server program or package it within another innocuous program for delivery and installation on the victim's machine.
The server program can be removed manually if it is delivered in its native state with the default filename of "PATCH.EXE." Since the server program can be given any name, the registry will have to be examined to determine the name of the server program. A knowledge of legitimate registry entries in the particular machine is required in order to determine the key which contains the pointer to the Netbus server program. Once the added file is determined, the registry entry can be removed and the machine rebooted to permit deletion of the server file. A KeyHook.DLL file is also placed in the \WINDOWS or \WINDOWS\SYSTEM directory which replaces any copies of this file which may have been installed with other shareware legitimately. It will be necessary to replace the KeyHook.DLL file with a copy from the original install disks after removal.
Capabilities
The Netbus server permits anyone using the Netbus client to remotely control the victim's machine. The capabilities of the Netbus program are:
- Open/close the CD-ROM once or in intervals (specified in seconds).
- Show optional image.
- Swap mouse buttons the right mouse button gets the left mouse button's functions and vice versa.
- Start optional application.
- Play optional sound-file.
- Point the mouse to optional coordinates.
- You can even navigate the mouse on the target computer with your own!
- Show a message dialog on the screen. The answer is always sent back to you!
- Shutdown the system, logoff the user etc.
- Go to an optional URL within the default web-browser.
- Send keystrokes to the active application on the target computer!
- The text in the field Message/text will be inserted in the application that has focus. (| represents enter).
- Listen for keystrokes and send them back to you!
- Get a screendump!
- Return information about the target computer.
- Upload any file from you to the target computer!
- With this feature it will be possible to remotely
- update Patch with a new version.
- Increase and decrease the sound-volume.
- Record sounds that the microphone catch. The sound is sent back to you!
- Make click sounds every time a key is pressed!
- Download and deletion of any file from the target.
- You choose which file you wish to download/delete in a nice view that represents the harddisks on the target!
- Keys (letters) on the keyboard can be disabled.
- Password-protection management.
- Show, kill and focus windows on the system.
The ability to turn on a microphone is particularly threatening as this could permit the perpetrator the ability to listen to room audio and in effect "bug" the victim's room without detection. The ability to monitor keystrokes is also of concern as is the ability to read and write files or possibly destroy the operating system.
Warning:
IF YOU DO NOT KNOW WHAT THE REGISTRY IS, OR YOU ARE UNCOMFORTABLE EDITING THE REGISTRY, FIND SOMEONE WHO KNOWS WHAT THEY ARE DOING TO HELP YOU!!! CORRUPTING THE REGISTRY CAN REQUIRE A REINSTALL OF WINDOWS!
Manual Removal of Netbus Server
The Netbus server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run key and may have a dos-like command switch such as /nomsg, /noadd or similar switch. In some cases this clue will not appear. The registry entry will point to the name of the file as the subkey name and will have as its value a pointer to the location where the server is installed.
It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Netbus server being reloaded at which time the file pointed to in the registry can be removed without further risk. As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system.