Netbus 2.0 Pro Beta Removal.



This will work in a worst case scenario, downwards.
Basically, Worst Case = Invisible server, Restart when Windows does. It is REALLY hard to accomplish this without knowingly doing it to yourself, but, there will always be one (or two).

NetBus 2.0 Puts two files in the directory it was executed in and does NOT copy itself anywhere else on the HDD. The two files placed in the directory are

* NBhelp.dll, and
* Log.txt

Log.txt



Log.txt Logs everyone who connects to the netbus server. It is logged in the following format:

[date] [time] : [user] logged in [ip address]

eg:

25/01/1999 8:27 PM: Administrator logged in (127.0.0.1)

Forwarding this information to the appropriate ISP's ( /dns [ip] then email [email protected] ) Can get the attacker's accounts closed.

NBhelp.dll

I believe NBHelp.dll to be the Keyhook.dll counterpart in Netbus 2.0. The following Text was found by opening NBhelp.dll with a HEX editor.

NBHelp.dll.DisableClick.DisableKeys.EnableClick.EnableKeys.InstallKeyHook.InstallKeySpy.UninstallKeyHook.UninstallKeySpy

Apon closer examination both files look pretty alike. Keyhook.dll is 55, 296 bytes in size and NBhelp.dll is 64, 000 bytes in size. NBHelp.dll is left in the same directory as the server.

This File can be useful as a pointer to find the EXE/directory that Netbus 2.0 resides in/is.

If Netbus 2.0 is Active These two files, along with the server cannot be removed, and the user will receive an "Access Denied" for NBHelp.dll and Log.txt and a "File is in use by Windows" from the server.exe.


Netbus Server.



The Default server Icon is a grey satellite dish, with a RED arrow pointing into it. Its Default name is NBSvr.exe. File size can be either 612, 864 bytes or 612, 965 bytes in size. The Server can be "Patched" as in Netbus 1.7. but this feature is currently disabled. When the Server is Patched, this information is written to the end of the executable.

[General]
Accept=1
TCPPort=20034
Visibility=3
AccessMode=2
AutoStart=1
[Protection]
Password=A

Hence the varying file sizes.

Apon execution, A registry Key is written to HKEY_CURRENT_USER/Netbus Server/ Containing the server's settings. (Port, Visibility, Access, AutoStart, Password). The Password is now encrypted in the registry.

Another thing that is important to note, Netbus Server 2.0 Pro is NOT compatible with previous clients, nor is the Netbus Client 2.0 Pro compatible with previous Servers. As a result of this, the Telnet Method of Using/Disabling Netbus no longer works.

Features of Netbus 2.0 Pro



All the usual features are in the new Netbus, (ie, same as from Netbus 1.7)
Some added features:

* Get System Passwords (alike to the BO command I gather) (The feature is disabled until the program is registered)
* Updated File Manager.
* Registry editor.
* Ability to Print Files.
* Application Redirect.
* Updated Windows Manager.
* Plug in Capability.
* Client to Client Chat.

Removal

(Worst Case, Will remove it regardless tho) **Uses mIRC Commands.

.1) //say $findfile(C:\,NBhelp.dll,0)
.2) //say $findfile(C:\,NBHelp.dll,1)
.3) //say $findfile(C:\, $+ [Step 2 Path] $+ ,*.exe,0)
.4) //say $findfile(C:\, $+ [Step 2 Path] $+ ,*.exe,1)
.5) //say $lof( $+ [Step 4 Path and File] $+ )
If The file size is 612864 or 612965 That is the server, otherwise, keep
$findfile( $+ [path] $+ ,*.exe,2)'ing
until you find the correct server.
.6) /run regedit
.7) Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\

.13) Delete the TAG "Netbus Server Pro"
.14) Now Navigate to HKEY_CURRENT_USER\Netbus Server\ Delete this KEY.
.16) Reboot the Computer.
.17) //remove [Step 5 Path and File] (The correct netbus server)
.18) //remove [path from step 2]NBHelp.dll
.19) //remove [path from step 2]log.txt
.20) All Clear!


($findfile is the same as a Windows "FIND" (Start Menu, Find, Find-Files))
($lof is the same as Right Clicking, Selectin "Properties" And looking at the File size of a File)
(//remove is the same as Deleting a file)


Back to Netbus Main Page