ARCHIVED: What is the Netbus virus, and how do I get rid of it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Netbus virus and its variants are actually Trojan horses. Netbus is very similar to the Trojan horse called Back Orifice, and likewise infects Windows systems. It is a remote administration tool that surreptitiously accesses data and some Windows functions from remote computers. The Netbus Trojan horse comes in many versions, the most common being Netbus.160. Other versions include .153, .170, and .2.

Some of the following problems can occur as a result of the Netbus Trojan horse:

  • Keystrokes such as passwords or PINs can be read from a remote computer.
  • A .wav sound file plays.
  • Your CD-ROM tray opens and closes, once or repeatedly.
  • Your right and left mouse buttons swap functions.
  • A BMP or JPEG image file appears on your screen.
  • The volume on your speakers goes up and down.

Downloading infected files from the Internet is the most common way a system becomes infected. Opening and running an infected .exe (executable) file, whether from a download, from an email or messaging program, or from a floppy disk, will infect the computer. Your best protection is to avoid downloading or running any .exe files that are suspect.

There are two parts to this Trojan horse: the client and the server. The server is loaded on the remote computer that is being accessed. Netbus.160 creates the file PATCH.EXE, which installs the server part of the program into Windows. The next time Windows is started, Netbus starts automatically. This execution command is written to the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

In order to remove the Netbus Trojan horse, delete all infected files and replace them with clean copies. Make sure that you delete the KEYHOOK.DLL and PATCH.EXE files. Use Norton/Symantec AntiVirus (NAV), which can detect and remove or quarantine the Netbus Trojan horse, to clear your system of any other infected files.

You may also need to remove the Netbus entry from the registry with regedit. However, editing the registry should only be performed by experienced users, as doing so imperfectly can cause more problems than it might solve. This entry is in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run location of the registry. See the Knowledge Base document ARCHIVED: In Windows, what is the registry?

Programs such as NAV can prevent as well as remove most viruses and Trojan horses. Update the virus definitions regularly to protect your system from new viruses. For information about updating your virus definitions, see the Knowledge Base document ARCHIVED: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?

For more information, see the Netbus entries at the Symantec Online Virus Encyclopedia: 

  http://securityresponse.symantec.com/avcenter/venc/auto/index/indexN.html

This is document ahkd in the Knowledge Base.
Last modified on 2018-01-18 12:44:44.