-
August 20th, 2012, 08:07 PM
#1
NetBus
Hey Addicts!
I am in search of the original Delphi source code for NetBus Server.
Really don't want to set up a VM and download all the BS until I find the correct source.
If anyone actually has the source or knows a place to get the thing, shoot me an IM please
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
August 26th, 2012, 06:37 AM
#2
I found this back in 99, maybe you can find the file names. hackfix netbus delphi turns up some valid sources.
This document applies to NetBus 1.70. Last updated 1/17/99
First we need to find the name of NetBus on your system.
By default this is Patch.exe, but can be renamed easily to almost
anything, and it need not end in .exe
Note: There is an installer called game.exe, which is a real game
of 'hit the mole'. If you ran this and believe yourself to be infected,
scroll down to the bottom on the section GAME.EXE.
WARNING: Before making ANY changes to your systems registry, you
should backup your registry (using the Export command in the registry
menu), and Do Not edit or delete anything Other than what is
recommended here.
To do this you will need to use a program called RegEdit. You can go to
the Run command in your Start menu, and type regedit there to start the
program. If you are familiar with regedit, the key to edit is as follows
By using RegEdit, locate the key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
After clicking on Run the right hand panel will change.
There will be a list of items, in two columns.
In the first column, there will be a key which loads the program.
Most likely there will be many other keys as well, the first of which
is (Default) Do NOT delete any other keys except for the ones below.
The default key name is PATCH, which would look like
PATCH, "C:\windows\patch.exe /nomsg"
Its possible that NetBus will have a different name than patch.exe
However the lines for NetBus WILL ALWAYS end with /nomsg and this is
how you can be sure you have the right ones.
Make a note of any and all items ending with /nomsg, and then delete
these from the registry by right clicking on the key (right hand side)
and choosing delete.
Once you remove this from the registry, you can reboot.
This will remove the program from memory.
After you reboot, you can use Windows Explorer and find the files
you noted in the registry. Do not run any of these files! Delete them
and right after empty your recycle bin.
Additionally some find it easier to reboot into DOS, and from there
delete the files, and reboot again back into windows.
You should now be uninfected, however you may want to use our web pages, or
join #hackfix of EFNet to check again.
--OR--
If the server is installed on the default port (12345) and there is no pass
and you happen to know the port it is installed on, you can follow the
instructions below to remove the server as well.
If the server is Not on port 12345 and you don't know the port it Is on,
you will have to follow the registry edit instructions above.
Telnet to your own system (localhost) port 12345
Run telnet and in the connect menu, choose remote host.
For host type localhost and for port type 12345
It should answer with NetBus 1.70 or NetBus 1.70 x
The x at the end means there is a password set. With version 1.70,
the password backdoor has been removed, so this method wont work.
If you get an error saying you cannot connect, then netbus is not
on that port and this method again wont work.
If there is no x and you connect, type the following line :
RemoveServer;1
You most likely wont be able to see your own typing, so you may
want to copy/paste.
This will remove the program from memory and fix the registry,
however it wont remove NetBus from your HD.
Unfortunately using this method you can't find the path to the file(s),
to delete, however if method #1 fails you this may be the only option.
==+== GAME.EXE
(Added 1/17/99 first reported by ^dream^)
Game.exe is a hit the mole type game, which also installed an edited
netbus 1.70 server on your system.
Important differences are the default port is set to 12631, not 12345.
It also installs fail safes so on reboot it loads an infected registry
automatically to wipeout any changes you made to remove netbus.
Also if you have Netbuster installed, this program uninstalls the code
that causes it to startup, so you will have to reinstall netbuster to
get it to work again.
That said, there are four registry lines that it adds, which need to
be deleted
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
NetBuster = ""
SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y"
and
HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/
Rundll32 = "rundll.dl_ /noadd"
Rundll = "regedit /s nbsetup2.reg"
After deleting these and rebooting, netbus wont load itself, and you can
delete the two files it puts on your harddisk.
c:\windows\rundll.dl_ is the netbus trojan itself
c:\windows\nbsetup2.reg is the registry that reloads netbus
Be careful as there is a rundll.exe also which is a real system file and
should Not be deleted, and you may have a rundll.dll, which is also real.
==+== References and more information ==+==
The home page of the creators of this document can be found at
http://www.hackfix.org/
Or you can always visit the channel #hackfix on the EFNet irc network,
the place where it all began.
The gene pool has no life guard!
-
August 28th, 2012, 04:43 AM
#3
Real security doesn't come with an installer.
-
August 28th, 2012, 07:24 PM
#4
Originally Posted by D0pp139an93r
DUDE YOU ROCK!
Thank you very much. So does anyone here remember the command line switches for Borland Delphi 5.1? LOL Just kidding!
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
August 30th, 2012, 09:45 PM
#5
So does anyone here remember the command line switches for Borland Delphi 5.1?
I used to use that with Windows 3.11, but it wasn't anything modern and fancy like 5.1........... more like 1.1
Similar Threads
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By jinxy in forum Miscellaneous Security Discussions
Replies: 13
Last Post: October 17th, 2003, 07:44 AM
-
By the_adairs in forum Newbie Security Questions
Replies: 7
Last Post: August 28th, 2002, 10:55 AM
-
By Surreal in forum Newbie Security Questions
Replies: 7
Last Post: June 17th, 2002, 12:09 AM
-
By ydirect in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: June 14th, 2002, 04:28 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|