Main Menu
Contact Us

Netbus RAT Information

Name: Netbus
Category: RAT
Advice: Remove
Risk: Severe Risk Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description: NetBus allows a remote user to access and control your machine by way of its Internet link.

NetBus runs under the NT operating system as well as Win95/98.

NetBus was written by a Swedish programmer, Carl-Fredrik Neikter, in March 1998. Version 1.5 in English appeared in April. NetBus apparently received little media attention but it was in fairly wide use by the time BO was released on 3 August. In late August, NetBus version 1.60 was made available.

NetBus has grown rapidly in use, apparently in part because of the widely publicized launch of Back Orifice, which drew attention to tools of this kind and undoubtedly attracted thousands of new hacker-wannabes to the game. I now see almost as much email about NetBus as BO, and very frequently both trojans are installed and running in the victim's computer at the same time. Undoubtedly many attackers seek to establish multiple means of entry once access has been gained.

NetBus is stealthy enough to reside unnnoticed on the vast majority of Netizens' systems. It is sophisticated yet almost incredibly easy to use; and thoroughly prone to serious misuse.

NetBus and other remote-admin trojans have two essential parts; a server (the part that resides on the victim's system) and a client (the application used to find and control the server). Features and functions vary, but the result is much the same; near-total loss of privacy and security with respect to your computer anytime it's on the Net. Once in place, these trojans open the victim to endless possibilities ranging from mere pranks to viruses, serious loss or theft of valuable or sensitive data, other trojans, and so on.

The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.

Like BO, the NetBus server can have practically any filename. The usual way it is installed is by simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.

The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.

There are now three versions of NetBus in circulation; version 1.5x (usually 1.53), version 1.6, and version 1.7.

NetBus is now capable of redirecting input to a specified port to another IP address via the server machine. This means the remote user can do mischief on a third machine someplace on the Net, and his connection will appear to come from the redirecting address. This feature, truly useful as a tool for illegal computer trespass, makes a certifiable liar of Mr. Niekter, the creator of NetBus. He claims NetBus is intended only for legitimate remote administration and "to have fun" with one's "friends." There is virtually no conceivable legitimate cause for such redirections, and nothing "fun" about it when the trojan victim is prosecuted for computer crimes he did not commit.

In addition, NetBus now allows the assignment of an application to a TCP port. Most usually this is done with a command interpreter ( or Cmd.exe), giving free access to a DOS command line via telnet. Those familiar with DOS will know this gives the user very extensive control over the host machine. My tests show that most DOS applications requiring interactive input (such as

Signatures: process: salvapantallas.exe: MD5 Hash: 06e09099aaeb34fe1ee... process: execution.exe: MD5 Hash: ... process: leszcz.exe: MD5 Hash: a127656e780e5b9a82b... process: viva.exe: MD5 Hash: e2276c429a852066e93... process: wizjatv.exe: MD5 Hash: c7285a2a557e88cf09f... process: nb2.0b.exe: MD5 Hash: 24f98d640dcd0528dda... process: nb2.0f.exe: MD5 Hash: f42d83ef6c5968162bc... process: netbus.exe: MD5 Hash: ac9dfd370030a170ade... process: patch.exe: MD5 Hash: 6a2d832c8da4657a53b... process: nbpro210.exe: MD5 Hash: a31750fba99e5d11fc9... process: netbus.exe: MD5 Hash: 9ebb61fb00f4bbb9f58... process: netbus.exe: MD5 Hash: 5dd542fdfd78f18600e... process: sysedit.exe: MD5 Hash: 09c1228471f7abdb567... process: netbus.exe: MD5 Hash: 63e0fa3b64cfc08fd94... process: netbus.exe: MD5 Hash: 3a29778eb1b14439de9... process: sysedit.exe: MD5 Hash: 3153109d7eeb1ba1625... process: lramkit98br.exe: MD5 Hash: 558891776ee77c5fa63... process: netbus.exe: MD5 Hash: de42790906af84a7784... process: netbus.exe: MD5 Hash: 433c6e55980955dd22e... process: netbus.exe: MD5 Hash: aac676aa40ddf9922a8... process: patch.exe: MD5 Hash: be2bc705d140f0f4010... process: patch.exe: MD5 Hash: f842a567d0c983978b0... process: patch.exe: MD5 Hash: b02e68603e293ca5308... process: -154956062.exe: MD5 Hash: a49ed8fc2a9b0b4b34e... process: 1160450453.exe: MD5 Hash: 3667e09c90f268d3b1f... process: about.exe: MD5 Hash: ba822f5206e4f0ee747... process: client.exe: MD5 Hash: e923d23c3e4a4e06a22... process: lekker_wijf.exe: MD5 Hash: 738fb8fca5c27c26ec8... process: mpower.exe: MD5 Hash: 1f269739a6bf093bbd7... process: mp_bus.exe: MD5 Hash: 8c0b3934ae3aae3336f... process: netbus.exe: MD5 Hash: 67a8e2d5ccfe6eeed1f... process: patch.exe: MD5 Hash: 68f8c004d26f07f0f01... process: retail_11a - netbus2.0invisibleserver.exe: MD5 Hash: 23e25bf127e03971499... process: killme.exe: MD5 Hash: fb9d6dd416f4c56cee3... process: nbsvr.exe: MD5 Hash: fff5efd336aa72f3db4... process: nbsvr.exe: MD5 Hash: 2e108c9cb83088fe36d... process: nbsvr.exe: MD5 Hash: 1af33ba15537d993b27... process: netbus.exe: MD5 Hash: 5a67939a8fd1577a3b2... process: netbus.exe: MD5 Hash: 0a6fb23cabc6171f6dc... process: netbus.exe: MD5 Hash: 166d66c5e64c121bb91... process: nbpro201.exe: MD5 Hash: c6e9880589e322c51ce... process: nagbbs.exe: MD5 Hash: b3b8e5f4ad8c7023e5d... process: MD5 Hash: fb8ca8889f94b6eaed2... process: guphbus.exe: MD5 Hash: c0e9593c4a16973af7f... process: ultima.exe: MD5 Hash: e36c3fc1f4878f66c98... process: wizjatv.exe: MD5 Hash: ... process: netbushack.exe: MD5 Hash: 35c32da3741fe38ff0d... process: netbushack.exe: MD5 Hash: e95e087893546a99f52... process: 1420585869.exe: MD5 Hash: aaeda2ffcbd43cbc4f3... process: nbpatcher.exe: MD5 Hash: 0bcdf2ee62d55929199... process: netbusytoy.exe: MD5 Hash: 66276f05c0816dea3e3..
Type: RAT - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy.

Top RAT Visited Pages:
SubSeven - Alias: BackDoor-G22, BackDoor-Sub7 - 755 visits
NetBus v.1.70 - 476 visits
Pornu - Alias: Backdoor.Pornu - 207 visits
Alien Spy - Alias: Backdoor.Alien - 200 visits
Cyrex msn trojan - Alias: BackDoor-AOB,,, Cyrex msn trojan, W32/Delf.B - 135 visits
The Prayer - Alias: BackDoor-DI, Backdoor.Prayer.15 - 130 visits
Netbus - Alias: Backdoor.Netbus - 122 visits
Global Killer - Alias: Backdoor.GlobalKiller 1.0, Global Killer 1.0 - 116 visits
AutoSpY - Alias: Backdoor.AutoSpy - 113 visits
Optix Pro - 105 visits

Random RAT Pages:
Skull DeBurrower
Skull DeBurrower - Alias: BackDoor-ARU.gen, Backdoor.Skubur.b
New Silencer - Alias: Backdoor.Silencer, Backdoor.Silencer.a, W32/Backdoor.Silencer
Ambush 1.0 - Alias: BackDoor-FO, Backdoor.Ambush
QwErTos RAT - Alias: BackDoor-KF Backdoor.Latinus.e
Celine - Alias: BackDoor-NY, BackDoor-OY, Backdoor.Celine
Butt Funnel


2006-2008 - Privacy Policy