NetBus is a remote administration tool, much like the infamous
Back Orifice tool. However, Netbus predates Back Orifice by
several months and is also capable of working under Windows NT in
addition to Windows 95 and 98.
Netbus allows a hacker to access data and gain control over some
Windows functions on remote computer system.
NetBus tool has client and server parts. The server part is
installed on a remote system to be accessed. Version 1.60 of
NetBus server is a Windows PE file named PATCH.EXE. On execution
the server part installs itself to Windows directory and it will
be executed automatically during next Windows startup. The
execution command for the server part is written to the registry:
The server part takes steps to protect itself from being removed
from the system - it hides its process name in Windows task
manager and denies access to file on attempt to delete or rename
it. When the server part is called with '/noadd' command line it
will be not started every time Windows starts. When '/remove'
command is passed to server part, it removes itself from the
The client part allows to control the remote computer system
where the server part is installed and activated. The client part
has a dialog interface which allows to perform tricks (some of
them are really nasty) on remote system and to receive/send data,
text and other information.
The client and server parts use TCP/IP protocol to communicate
with each other. The client part has an option to scan a range of
IP addresses to search for active server part and connect to it.
Below is a list of NetBus features:
1. Open/close the CD-ROM tray once or in intervals (specified in
2. Show optional BMP or JPG image (full path allowed);
3. Swap mouse buttons - the right button gets the left button's
functions and vice versa;
4. Start optional application (full path allowed);
5. Play optional WAV sound-file (full path allowed);
6. Point the mouse to optional coordinates;
7. Show a message dialog on the screen and allow the user on
remote system to answer it;
8. Shutdown Windows, reboot, logoff or power off;
9. Go to an optional URL within the default web-browser;
10. Send keystrokes to the active application on the target
11. Listen for keystrokes on remote system and save them to file;
12. Get a screenshot from remote computer;
13. Return information about the target computer;
14. Upload any file to the target computer or update the server
part of NetBus;
15. Increase and decrease the sound-volume;
16. Record sounds that the microphone catch - to listen what
happens in the room where remote computer is;
17. Make click sounds every time a key is pressed;
18. Download and deletion of any file from the target system;
19. Blocking certain keys on the remote system keyboard;
20. Password-protection management of the remote server;
21. Show, kill and focus windows on remote system.
F-Secure Anti-Virus detects and removes versions 1.2, 1.53, 1.60,
1.70 and 2.0 Pro of NetBus.
Netbus 2.0 Pro is now detected and removed, although it is now
Contact http://www.netbus.org if you have questions about the
commercial status of Netbus.
Recently there appeared reports that a trial version of Adobe Acrobat
4.0 contained a server part of NetBus. NAI's (former McAfee's)
anti-virus scanner detected 'NetBus.dr' in one of the files
distributed with Acrobat installation. This caused accusations of
Adobe spreading a spy tool among its users. But the recent
investigations showed that this was only a false alarm of McAfee's
product. McAfee's anti-virus researchers confirmed the fact of false
alarm and promised to fix the problem ASAP.
NetBus can be successfully disinfected with a fresh version of
FSAV and the latest updates for it.
Note that NetBus file(s) might be locked while Windows is active
and older versions of FSAV for Windows might not be able to
remove it. In this case you can exit to DOS and remove the NetBus
file(s) manually. You can also use a free version of F-Prot for
DOS to remove NetBus from an infected system. It is a requirement
to perform disinfection from pure DOS.
For successful disinfection all files detected as NetBus should
be deleted from an infected system.
[Analysis: Alexey Podrezov & Mikko Hypponen, F-Secure Corp., 1998-2001]