WackAMole is Really a Trojan
The game WackAMole is actually a trojan containing the NetBus remote control server. Ken Pfeil sent us this email on September 13, 1998:
NetBus listens on TCP ports 12345 and 12346. Use the NETSTAT command to see if your system has NetBus listening (issue "netstat -an" at hte command prompt). If one of those two ports is listening, TELNET to that port and look for the reponse "NetBus 1.xx".
ISS X-Force has discovered that there is a backdoor in NetBus that will allow anyone to connect with no password. When the client sends the password to the server, it sends a string similar to "Password;0;my_password". If the client uses a 1 instead of a 0, you will be authenticated with any password.
To Remove NetBus:
Find the name of the NetBus server, which is most often Patch.exe. To do so, run REGEDIT and find the registry key:
Items listed in this key run at boot up. Look for a suspicious entry in the key, checking each entry carefully. If necessary, run each program listed in the "Run" key to verify. Once the NetBus program has been located, issue the command "NetBus-Program-Name /remove", where the Netbus-Program-Name is the actually name of the program.
Additionally, you may run the NetBus client, connect to the machine you want to remove NetBus from, choose Server Admin, and the click the Remote Server button.
To learn more about NT Security concerns, subscribe to NTSDCredits
- Originally reported by Ken Pfeil
- Posted on The NT Shop on September 13, 1998