Netbus.160.W95

SUMMARY

The Netbus.160.W95.Trojan places a reference in the Windows registry that attempts to load the infected file when Windows starts. This file, which Norton AntiVirus (NAV) detects as Netbus.160.W95.Trojan, is usually named MyComputer.exe, but at least one variant is named Hacker411.exe.

Behavior

Symptoms

Transmission

Protection

• Virus Definitions (Intelligent Updater) September 10, 1998

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: High
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Compromises Security Settings: May allow unauthorized access to your computer

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

Netbus.160.W95.Trojan is a backdoor Trojan horse that allows a hacker to gain unauthorized access to the computer. When it is run, the Trojan is installed on the system, and a reference is added to the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

This ensures that the Netbus.160.W95.Trojan file is executed when Windows starts. The Trojan remains memory resident and opens a port to allow a hacker to access the computer.

The Trojan can be included in another program, such as a computer game. In this case, the Trojan is executed in the background while the program runs.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this Trojan, you need to:

• Run LiveUpdate and then run a full system scan. Delete any files detected as Netbus.160.W95.
• Restart the computer in Safe Mode, and remove the reference from the registry.
• Run another full system scan with NAV.

Here are detailed instructions. Please follow the instructions in each section.

To scan with NAV:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start NAV, and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as Netbus.160.W95, write down their locations, and then delete them.
   
   NOTE: If the file is in use, NAV may not be able to delete it. In this case, choose Ignore, and then go on to the next section.

To restart the computer in Safe Mode
To restart the computer in Safe Mode, follow the steps for your version of Windows. When you finish this, proceed to the next section.

NOTE: In Safe Mode, Windows uses default settings (VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows). You will not have access to CD-ROM drives, printers, or other devices.

• Windows 95
  1. Exit all programs, and then shut down the computer.
  2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
  3. When you see the "Starting Windows 95" message, press F8.
  4. Type the number for Safe Mode, and then press Enter.
     
• Windows 98
  1. Click Start, and then click Run.
  2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
  3. Click the General tab, and click Advanced.
  4. Check Enable Startup Menu, click OK, and then click OK again.
  5. Exit all programs, and then shut down the computer.
  6. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
  7. Turn on the computer, and then wait for the menu.
  8. Type the number for Safe Mode, and then press Enter.
     
• Windows 2000
  1. Exit all programs, and then shut down the computer.
  2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
  3. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to this: |||||||||||||||||||||||||||||. Beneath this line you will see the text, "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.
  4. Type the number for Safe Mode, and then press Enter.

To edit the registry:
Please follow these steps to remove the entry that the Trojan placed in the registry Run key:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, look for the entry that refers to the file in which the Trojan was detected. It should look similar to one of the following:
   • If the Trojan was found in the file MyComputer.exe:
     
     (Default)        "C:WindowsMyComputer.exe"
     
     Right-click the entry, press Delete, and then click Yes to confirm.
     
     NOTE: In some cases, this will not be the only value that begins with (Default). Make sure that you select the correct one. If you select the (Default) entry that indicates (value not set), you will not be able to delete it (this is by design).
     
   • If the Trojan was found in Hacker411.exe:
     
     Hacker411        "C:WindowsSystemHacker411.exe"
     
     Right-click the entry, press Delete, and then click Yes to confirm.
     
     NOTE: The path to Hacker411.exe may differ.
     
5. Exit the Registry Editor.

To run a full system scan:
To be sure that there are no other infected files on the computer, run another full system scan. If you were not able to delete the Trojan during the initial scan, you will be able to do so now.

(Optional) Windows 98 users only
If you used the Microsoft System Configuration Utility to enable the startup menu, you can now disable it. Please follow these steps:

1. Click Start, and click Run.
2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
3. Click the General tab, and click Advanced.
4. Uncheck Enable Startup Menu, click OK, and then click OK again.
5. Restart the computer.