ARCHIVED: What is the Netbus virus, and how do I get rid of it?
The Netbus virus and its variants are actually Trojan horses. Netbus is very similar to the Trojan horse called Back Orifice, and likewise infects Windows systems. It is a remote administration tool that surreptitiously accesses data and some Windows functions from remote computers. The Netbus Trojan horse comes in many versions, the most common being Netbus.160. Other versions include .153, .170, and .2.
Some of the following problems can occur as a result of the Netbus Trojan horse:
- Keystrokes such as passwords or PINs can be read from a remote computer.
- A
.wav
sound file plays. - Your CD-ROM tray opens and closes, once or repeatedly.
- Your right and left mouse buttons swap functions.
- A BMP or JPEG image file appears on your screen.
- The volume on your speakers goes up and down.
Downloading infected files from the Internet is the most
common way a system becomes infected. Opening and running an infected
.exe
(executable) file, whether from a download, from
an email or messaging program, or from a floppy
disk, will infect the computer. Your best protection is to avoid
downloading or running any .exe
files that are suspect.
There are two parts to this Trojan horse: the client and the
server. The server is loaded on the remote computer that is being
accessed. Netbus.160 creates the file PATCH.EXE
, which
installs the server part of the program into Windows. The next time
Windows is started, Netbus starts automatically. This execution
command is written to the registry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
.
In order to remove the Netbus Trojan horse, delete all infected files
and replace them with clean copies. Make sure that you delete the
KEYHOOK.DLL
and PATCH.EXE
files. Use
Norton/Symantec AntiVirus (NAV), which can detect and remove or
quarantine the Netbus Trojan horse, to clear your system of any other
infected files.
You may also need to remove the Netbus entry from the registry with
regedit. However, editing the registry should only be performed by
experienced users, as doing so imperfectly can cause more problems
than it might solve. This entry is in the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
location of the registry. See the Knowledge Base document ARCHIVED: In Windows, what is the registry?
Programs such as NAV can prevent as well as remove most viruses and Trojan horses. Update the virus definitions regularly to protect your system from new viruses. For information about updating your virus definitions, see the Knowledge Base document ARCHIVED: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
For more information, see the Netbus entries at the Symantec Online Virus Encyclopedia:
http://securityresponse.symantec.com/avcenter/venc/auto/index/indexN.html
This is document ahkd in the Knowledge Base.
Last modified on 2018-01-18 12:44:44.