#digifriends on irc.dal.netSubmit your site to 100+ directories

Trojan Horses
 
Trojan Horses: Back Orifice, Netbus and others
[last updated: Thursday, December 24, 1998]  

*** IMPORTANT NEWS! NEW -VERY DANGEROUS- VIRUS: REMOTE EXPLORER ***

CLICK HERE FOR MORE INFO ABOUT REMOTE EXPLORER

A new virus/trojan horse has been discovered: Remote Explorer! DIGIFRIENDS has opened a special page on this new, most intelligent virus ever found, with information about how to detect it, which fixes/detection applications are available and much more info. We highly recommend you visit the special page, and at this moment recommend you to revisit it every hour as we are placing more and more info online as soon as we receive it.  

New threats on the Internet. Well, not really new, but recently two new Trojan Horses were discovered. The first one is called Back Orifice... the second one NetBus. Besides talking about what you can do against these two "viruses" (I'm not sure if virus is the correct word for BO or Netbus, but to keep this page easy to read I'll use that word) the question remains what other unknown viruses or Trojan Horses might be running on your system without you knowing?

Should you panic? Personally, I don't think so. I have been on the Internet quite some time now and there are some things you should just keep in mind and be careful. My motto is "better safe than sorry" so what I don't do is, for example, accept files from people on IRC. The first thing I do when I try some sort of new Internet application is to turn off all auto-accept options. I want to keep in control. I do not open email attachments I do not trust. Just to be sure I scan the email attachments I do trust first, before opening it.

These are just a few things I do as a precaution. Who can you trust? That's hard to answer, maybe it doesn't even have to do with trust. Somebody you know might have a virus on his/hers system without him/her knowing it. When he or she uploads something to you, you might have it too. Another good example: I needed information about a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it contained a macro virus. I discovered it on time, because I'm careful. That's probably the most important thing you can do against viruses.

What do they do?
Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door" is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other people, who can then do virtually anything on your system, including deleting files. The difference between Back Orifice and Netbus is that Netbus infects Windows NT as well as 95 and 98. Back Orifice is said to be only capable of infecting Windows 95/98. As said before, once a system is infected, the one accessing your PC can do virtually anything, possibly even turning on your microphone and listen to what you are doing!

How do people find an infected PC on the Internet?
Some versions of the trojan horse report the IP address of a PC, once connected to the Internet, on an IRC channel. Other methods used are port scanners, which scan a range of IP addresses/ports to find a PC which has "the backdoor open". Not all versions of the trojan horses are accessible by anybody with a client, some are even "customized" with password protection, which means that if a system is infected, it can only be accessed by the person who has the password.

How to find out if you are infected with BO or NetBus
I heard and read about a few methods on how you can possibly find out if you are "infected" by Back Orifice or Netbus. If you run these tests and don't find anything suspicious, this doesn't mean you are not infected. The following methods are just a few suggestions you can try, and do not guarantee anything. You should try the following methods at your own risk.

  1. What I recommend most is to search for information on the two Trojan Horses on the site of a well known anti-virus brand like McAfee.

    For detection of Netbus, McAfee has the following information pages:
    NETBUS.160
    NETBUS.153

    Another anti-virus software company, Data Fellows, has information about Back Orifice.

  2. Netbus might be found with telnet. Open a dos box and type:

    telnet 127.0.0.1 12345
    telnet 127.0.0.1 12346

    Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system is infected with Netbus.

  3. For both Back Orifice and Netbus there is another possible way to find if you are infected with one of them. Close all your applications, especially those who point to network-shares. Open a DOS box and run the following command:

    netstat -an|more

    Back Orifice possibly replies with:

    UDP 0.0.0.0:31337 *:*

    NetBus possibly replies with:

    TCP 0.0.0.0:12345 *:*
    TCP 0.0.0.0:12346 *:*

    Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious.

  4. You can try looking in your system registry with regedit (recommended for advanced users only!) and take a look at:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.

    "Finding Your Back Orifice" is a site which shows screenshots of an infected system registry and a clean system registry.

  5. If weird things start happening on your system, for example: missing files/directories, suddenly opening and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.

  6. Back Orifice: Another method of finding out if your system is infected by BO is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's there you are possibly infected.

I found one! What now?
Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the trojan horses itself. For that reason you have to be very careful which removal application you are going to use.

What I recommend most, again, is to use a well-known brand virus scanner which can detect and remove viruses like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure! Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month. PC Help is a site which also shows some methods how to remove Back Orifice from your system.

Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure to read the complete instructions of the application before you use it).

More applications and tools for detecting and/or destroying Trojan Horses can be found in the DIGIFRIENDS.COM freeware & shareware area: Security: Anti-Virus Software, Security: Miscellaneous and for those of you who are looking for protection against winnukes visit Security: Anti Winnuke.

Some providers have special email addresses at which you can report trojan horse "attacks". If you found out that your system is infected with Back Orifice or Netbus, and you know how it got infected, it might be wise to contact your provider if they have a special email address to do so and explain the situation to them. This might help avoiding other people to get infected too.

Other sites/pages for more information about Back Orifice and Netbus:

 

If you have any comments, suggestions or solutions having to do with this
subject, join the discussion on the software message board!
 

Interactive Question
What do you think of the Swatch Internet time (the new time standard for the Internet introduced by Swatch)? Great idea or bad idea? Let us know your opinion, click one of the answers below. If you haven't heard about the new Internet time standard yet, you can read about it in the Main Menu.

 Yes, great idea!
 No, I prefer the old time standards!


 


Back to top of this page
 
POLDERWARE Internet Development and Site Maintenance  

copyright infolegal notices and terms and conditions
Copyright © 1997-1998 POLDERWARE. All rights reserved.