OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Whackamole is making it's rounds
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Whackamole is making it's rounds


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Whackamole is making it's rounds
  • From: Ken Pfeil <arrow1BIGFOOT.COM>
  • Date: Tue, 15 Sep 1998 16:37:25 -0400
  • Comments: To: securityntshop.net
  • Reply-To: Ken Pfeil <arrow1BIGFOOT.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

The Game "whackamole.exe" file size 314,636 credited to
ecoli_hotmail.com, is actually a Netbus Trojan. It is contained within
Whackjob.zip available at http://netbus.hypermart.net, and installs
"patch.exe",(the Netbus Server portion) within the install shield script
for the game install. The program Netbus.exe is renamed Explore.exe
during the install. Needless to say, this can be quite serious on a
40,000 user network. You can't run command line programs directly from
"launch program" but you can execute ""Net Localgroup "administrators"
"Me" /add" or the like from .bat files directly uploaded to the
%systemroot% or other path from the netbus program.Netbus connects on
Ports 12345 and 12346. Probably a good idea to filter these at the
router level.

Ken Pfeil

>From The actual Web Page containing the Download:
NetBus 1.6 removal

Find out the name of the NetBus-server (which is most often Patch.exe).
Run RegEdit.exe and lookup the registry-key
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. From
that key you should be able to
sort out the NetBus server program (again, most often Patch) from
others.

When you've found the suspicous entry, do a file-search for "[Name of
the NetBus-server].exe" on your system. Finally
run "[Name of NetBus-server].exe /remove". If you've run the NetBus
server you should see that it just starts and ends
quickly without any user-interaction. That's just fine.

An easier approach, could be to use the NetBus-client (NetBus.exe)
yourself, connect to localhost, choose "Server admin" and click on the
"Remove server" button.