WackAMole is a NetBus Trojan

WackAMole is Really a Trojan
Reported Septmeber 13, 1998 by Ken Pfeil


  • NT Windows machines infected with NetBus


The game WackAMole is actually a trojan containing the NetBus remote control server. Ken Pfeil sent us this email on September 13, 1998:

From [email protected] Sun Sep 13 10:02:57 1998
Received: from mrout1.se.mediaone.net (duval.se.mediaone.net \[\])
by ntg (2.5 Build 2638 (Berkeley 8.8.6)/8.8.4) with ESMTP
    id KAA01548 for <[email protected]>; Sun, 13 Sep 1998 10:02:55 -0500
Received: from SICKOFSPAM.bigfoot.com (surf1825.ccse.net \[\])
    by mrout1.se.mediaone.net (8.8.8/8.8.8) with ESMTP id LAA19368
    for <[email protected]>; Sun, 13 Sep 1998 11:33:16 -0400 (EDT)
Message-ID: <[email protected]>
Date: Sun, 13 Sep 1998 11:30:35 -0400
From: Ken Pfeil <[email protected]>
X-Mailer: Mozilla 4.05 \[en\] (WinNT; I)
MIME-Version: 1.0
To: [email protected]
Subject: Game "Whackamole" is a NETBUS Trojan
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

The Game whackamole.exe file size 314,636 credited to [email protected], is actually a Netbus Trojan. It is contained within Whackjob.zip , and installs "patch.exe" within the install shield script for the game install. The program Netbus.exe is renamed Explore.exe during the install. Needless to say, this can be quite serious on a 40,000 user network. You can"t run command line programs directly from "launch program" but you can execute ""Net Localgroup "administrators" "Me" /add" or the like from .bat files directly uploaded to the %systemroot% or other path.


NetBus listens on TCP ports 12345 and 12346. Use the NETSTAT command to see if your system has NetBus listening (issue "netstat -an" at hte command prompt). If one of those two ports is listening, TELNET to that port and look for the reponse "NetBus 1.xx".

ISS X-Force has discovered that there is a backdoor in NetBus that will allow anyone to connect with no password. When the client sends the password to the server, it sends a string similar to "Password;0;my_password". If the client uses a 1 instead of a 0, you will be authenticated with any password.

To Remove NetBus:

Find the name of the NetBus server, which is most often Patch.exe. To do so, run REGEDIT and find the registry key:


Items listed in this key run at boot up. Look for a suspicious entry in the key, checking each entry carefully. If necessary, run each program listed in the "Run" key to verify. Once the NetBus program has been located, issue the command "NetBus-Program-Name /remove", where the Netbus-Program-Name is the actually name of the program.

Additionally, you may run the NetBus client, connect to the machine you want to remove NetBus from, choose Server Admin, and the click the Remote Server button.

To learn more about NT Security concerns, subscribe to NTSD

- Originally reported by Ken Pfeil
- Posted on The NT Shop on September 13, 1998
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.