NetBus
Results 1 to 5 of 5

Thread: NetBus

  1. #1
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247

    NetBus

    Hey Addicts!

    I am in search of the original Delphi source code for NetBus Server.

    Really don't want to set up a VM and download all the BS until I find the correct source.

    If anyone actually has the source or knows a place to get the thing, shoot me an IM please
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  2. #2
    Senior Member faust's Avatar
    Join Date
    Oct 2001
    Location
    Chicagoland/Murphysboro
    Posts
    105
    I found this back in 99, maybe you can find the file names. hackfix netbus delphi turns up some valid sources.

    This document applies to NetBus 1.70. Last updated 1/17/99

    First we need to find the name of NetBus on your system.
    By default this is Patch.exe, but can be renamed easily to almost
    anything, and it need not end in .exe

    Note: There is an installer called game.exe, which is a real game
    of 'hit the mole'. If you ran this and believe yourself to be infected,
    scroll down to the bottom on the section GAME.EXE.


    WARNING: Before making ANY changes to your systems registry, you
    should backup your registry (using the Export command in the registry
    menu), and Do Not edit or delete anything Other than what is
    recommended here.

    To do this you will need to use a program called RegEdit. You can go to
    the Run command in your Start menu, and type regedit there to start the
    program. If you are familiar with regedit, the key to edit is as follows

    By using RegEdit, locate the key :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    After clicking on Run the right hand panel will change.
    There will be a list of items, in two columns.
    In the first column, there will be a key which loads the program.
    Most likely there will be many other keys as well, the first of which
    is (Default) Do NOT delete any other keys except for the ones below.

    The default key name is PATCH, which would look like

    PATCH, "C:\windows\patch.exe /nomsg"

    Its possible that NetBus will have a different name than patch.exe
    However the lines for NetBus WILL ALWAYS end with /nomsg and this is
    how you can be sure you have the right ones.
    Make a note of any and all items ending with /nomsg, and then delete
    these from the registry by right clicking on the key (right hand side)
    and choosing delete.

    Once you remove this from the registry, you can reboot.
    This will remove the program from memory.

    After you reboot, you can use Windows Explorer and find the files
    you noted in the registry. Do not run any of these files! Delete them
    and right after empty your recycle bin.
    Additionally some find it easier to reboot into DOS, and from there
    delete the files, and reboot again back into windows.

    You should now be uninfected, however you may want to use our web pages, or
    join #hackfix of EFNet to check again.

    --OR--

    If the server is installed on the default port (12345) and there is no pass
    and you happen to know the port it is installed on, you can follow the
    instructions below to remove the server as well.
    If the server is Not on port 12345 and you don't know the port it Is on,
    you will have to follow the registry edit instructions above.

    Telnet to your own system (localhost) port 12345
    Run telnet and in the connect menu, choose remote host.
    For host type localhost and for port type 12345

    It should answer with NetBus 1.70 or NetBus 1.70 x

    The x at the end means there is a password set. With version 1.70,
    the password backdoor has been removed, so this method wont work.

    If you get an error saying you cannot connect, then netbus is not
    on that port and this method again wont work.

    If there is no x and you connect, type the following line :

    RemoveServer;1

    You most likely wont be able to see your own typing, so you may
    want to copy/paste.


    This will remove the program from memory and fix the registry,
    however it wont remove NetBus from your HD.
    Unfortunately using this method you can't find the path to the file(s),
    to delete, however if method #1 fails you this may be the only option.


    ==+== GAME.EXE

    (Added 1/17/99 first reported by ^dream^)

    Game.exe is a hit the mole type game, which also installed an edited
    netbus 1.70 server on your system.

    Important differences are the default port is set to 12631, not 12345.
    It also installs fail safes so on reboot it loads an infected registry
    automatically to wipeout any changes you made to remove netbus.

    Also if you have Netbuster installed, this program uninstalls the code
    that causes it to startup, so you will have to reinstall netbuster to
    get it to work again.

    That said, there are four registry lines that it adds, which need to
    be deleted

    HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
    NetBuster = ""
    SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y"

    and
    HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/
    Rundll32 = "rundll.dl_ /noadd"
    Rundll = "regedit /s nbsetup2.reg"


    After deleting these and rebooting, netbus wont load itself, and you can
    delete the two files it puts on your harddisk.

    c:\windows\rundll.dl_ is the netbus trojan itself
    c:\windows\nbsetup2.reg is the registry that reloads netbus

    Be careful as there is a rundll.exe also which is a real system file and
    should Not be deleted, and you may have a rundll.dll, which is also real.



    ==+== References and more information ==+==

    The home page of the creators of this document can be found at
    http://www.hackfix.org/

    Or you can always visit the channel #hackfix on the EFNet irc network,
    the place where it all began.
    The gene pool has no life guard!

  3. #3
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,689
    Real security doesn't come with an installer.

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    Quote Originally Posted by D0pp139an93r View Post
    DUDE YOU ROCK!

    Thank you very much. So does anyone here remember the command line switches for Borland Delphi 5.1? LOL Just kidding!
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    So does anyone here remember the command line switches for Borland Delphi 5.1?
    I used to use that with Windows 3.11, but it wasn't anything modern and fancy like 5.1........... more like 1.1
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 08:37 PM
  2. Netbus, what would you do.
    By jinxy in forum Miscellaneous Security Discussions
    Replies: 13
    Last Post: October 17th, 2003, 07:44 AM
  3. netbus clarification
    By the_adairs in forum Newbie Security Questions
    Replies: 7
    Last Post: August 28th, 2002, 10:55 AM
  4. NetBus
    By Surreal in forum Newbie Security Questions
    Replies: 7
    Last Post: June 17th, 2002, 12:09 AM
  5. .: Netbus & WinXP ?:.
    By ydirect in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: June 14th, 2002, 04:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides