NetBus trojan horse allows complete remote control of Windows systems

Risk Level: High risk vulnerability  High

Check or Attack Name: NetBus
Platforms: Windows NT, Windows 95, Windows 98, Trojan Horse: Windows
Description:

NetBus version 1.x is a Trojan horse program for Windows 95, 98, and NT that relinquishes complete control of a system to an attacker who knows the correct password. By default, NetBus will listen on TCP port 12345 for commands and is easily detectable. If you determine you have been infected with this program, remove it immediately.

Remedy:

To verify if Netbus is installed, follow these steps:

  1. From a DOS command prompt, type: netstat -an | find "12345"
  2. The machine may be infected with NetBus if the response is similar to one of the following entries:
    • TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING (NetBus is idle.)
    • TCP 127.0.0.1:12345 127.55.51.212:29223 ESTABLISHED (NetBus is active.)

    Note: If you use netstat -a instead of -an, you can get the hostname instead of the IP address.

  3. If NetBus exists on the machine, perform the following procedures to remove a NetBus installation.

    • Remove Netbus from your computers.

      To remove NetBus from your computers, follow these steps:

      1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
      2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key.
      3. Locate and delete a value named SysEdit. This is the default NetBus server signature.

        4. Note: The SysEdit value may vary. If you cannot find this value, the machine may have NetBus 1.6 or later installed. See below to remove an installation of NetBus 1.6.

      4. Reboot the computer.
      5. Delete the SysEdit.exe and KeyHook.dll files from your system. You can locate these files from the Windows NT Start menu by choosing Find, Files or Folders. After the registry entry and server executables are deleted, NetBus is no longer installed on the system.

    • To remove an installation of NetBus 1.6, follow these steps:

      1. From a DOS command prompt, type: telnet <your_hostname> 12345
      2. Type: Password;1;
      3. Then type: RemoveServer;1;
References:

NetBus Web Site (changes frequently), NetBus - Remote administration tool, http://www.angelfire.com/ab/netbussite/index.html

ISS Security Advisory #8, Windows Backdoors Update, http://xforce.iss.net/alerts/advise8.php3

NetBus Web Site, NetBus - Remote administration tool, http://fly.to/netbus
X-Force Logo
Know Your Risks