After several employees noticed strange occurrences such as their CD-ROM drives opening and closing for no reason, I discovered that the company had been infected with NetBus after employees played and shared the Whackamole game. How can I detect and delete NetBus from all the company's computers?
NetBus is a remote-control program that tricks victims into installing the NetBus server, which then lets attackers take control of victims' computers. NetBus, originally released for Windows NT, unfortunately also works well on Windows 2000. The NetBus server lets anyone with the NetBus client that Figure 2 shows connect to computers running the NetBus server, then upload and download files, execute programs, direct victims' browsers to potentially inappropriate Web sites, and even bug victims' offices by using the microphone in their computers. The NetBus server is named patch.exe. If patch.exe is on your computer, NetBus has infected it. However, remember that attackers can rename patch.exe to something else before they infect you.
Some copies of the Whackamole game are Trojan horses that silently install the NetBus server. If Whackamole has infected a computer with NetBus, you'll find a file called explore.exe (not Windows Explorer) instead of patch.exe. But Whackamole is just one way a user might install NetBus. To find NetBus, you can also scan for computers with TCP ports 12345 and 12346 open. However, finding these ports closed doesn't mean that NetBus is absent; attackers can also custom-configure which TCP ports will be open.
Up-to-date virus scanners such as Symantec's Norton AntiVirus catch NetBus, whatever its name. Note that NetBus restarts anytime the victim logs on because it adds a value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey. For more information about NetBus, go to http://www.nwinternet.com/~pchelp/nb/netbus.htm.
