IRC Mall
Virus
What da heck is
Virus?
Netbus
A dangerous
virus
Happy99
A top dangerous
virus
Protection
Utilities to protect yourself
NETBUS

The "NetBus-Story" - an introduction

NetBus is a "Trojan Horse", which has a similar functionality than "Back Orifice". That means, it opens a "Backdoor" to a PC, so that everybody can acces your PC from the network without your notice. NetBus is much more userfriendly than Back Orifice. It was programmed by a Swedish guy called Carl-Fredrik Neikter, who published the first version mid of March 1998. Up to today there are several versions:Versionen 1.60, 1.70 and the latest one NetBus 2.01 Pro vor. All information at this page are valid for NetBus 1.60 and 1.70.Information about NetBus Procan be found on an additional page.

NetBus - how it works

NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered from version 1.70 and higher the port be configured. Additional information you find in an original document of the author: Version 1.60 or Version 1.70.

NetBus - how to notice and how to fight

The NetBus Server) can be found in the system directory (also: "\win95" bzw. "\winnt") and is started simultaniously with windows. The name of the file differs: With NetBus 1.60 it is named "patch.exe", with "NetBus 1.5x" "SysEdit.exe" and if it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) it's name is "explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus 1.70 and uses the port
12631. Aditionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actaully is "explore.exe" located in the windows directory.

Normally all servers use the same icon:

To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\ Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.

You also can delete the NetBus Server using the client program selbst Click "Server Admin" - "Remove Server" To deinstall the server from your own PC enter the name "localhost" or the ip addresse 127.0.0.1


Copyright IRC Mall 1999/2000.
All rights reserved. Last update on December 11 1999.
Made by Naim. Design for 800x600 Hi-Color.
Best view with Internet Explorer 4.0 and above.