McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Netbus Pro

• NETBUS.160

• Netbus.cli

• Netbus.dll

Characteristics

*Update May 24, 2000: Recently an organization known as UltraAccess.net publicized that VirusScan and other related software from Network Associates will not scan for the Netbus programs.

This is incorrect.

No decision was ever made to stop scanning for Netbus, Netbus Pro or other related software. NOTE: VirusScan does make a distinction between standard Netbus Pro installed software and trojanized installations. McAfee Antivirus software does scan for trojanized programs that have the Netbus installation bound to them, such as the so-called game program "Whack-a-mole" and other mis-uses of the remote administration tool.

For more information about this, contact Virus Research.

Netbus is a remote administration hack tool and also predates another known such tool identified as "CDC-BO.A" or Back Orifice. It can run on Windows 95, 98 and NT. Netbus allows a hacker to access the host machine via TCP/IP. The Netbus tool has client and server parts. The server part is installed on a remote system to be accessed. When run, the server part installs itself to Windows directory and it will be executed automatically during next Windows startup via the system registry and normally in the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it.

Symptoms

If Netbus.160 is installed on a system, it creates two files: PATCH.EXE, KEYHOOK.DLL.

Method of Infection

Running the trojan file either accidentally or intentionally will install this remote access trojan to the local system.

Removal

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Netbus Pro

• NETBUS.160

• Netbus.cli

• Netbus.dll

Characteristics

Characteristics -

*Update May 24, 2000: Recently an organization known as UltraAccess.net publicized that VirusScan and other related software from Network Associates will not scan for the Netbus programs.

This is incorrect.

No decision was ever made to stop scanning for Netbus, Netbus Pro or other related software. NOTE: VirusScan does make a distinction between standard Netbus Pro installed software and trojanized installations. McAfee Antivirus software does scan for trojanized programs that have the Netbus installation bound to them, such as the so-called game program "Whack-a-mole" and other mis-uses of the remote administration tool.

For more information about this, contact Virus Research.

Netbus is a remote administration hack tool and also predates another known such tool identified as "CDC-BO.A" or Back Orifice. It can run on Windows 95, 98 and NT. Netbus allows a hacker to access the host machine via TCP/IP. The Netbus tool has client and server parts. The server part is installed on a remote system to be accessed. When run, the server part installs itself to Windows directory and it will be executed automatically during next Windows startup via the system registry and normally in the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The server part takes steps to protect itself from being removed from the system - it hides its process name in Windows task manager and denies access to file on attempt to delete or rename it.

Symptoms

Symptoms -

If Netbus.160 is installed on a system, it creates two files: PATCH.EXE, KEYHOOK.DLL.

Method of Infection

Method of Infection -

Running the trojan file either accidentally or intentionally will install this remote access trojan to the local system.

Removal -

Removal -

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants -

N/A