Trojan.NetBus.153 and Trojan.NetBus.160 (Whackamole)

Posted on April 6, 2006 by John Hasib

A few weeks after Back Orifice was released, a utility called NetBus was authored and released by a Carl-Frederik Neikter that is very similar to Back Orifice. One of the main differences is that it works under NT as well as Win 95/98 machines.

NetBus version 1.60 has been spotted being distributed masqueraded as a game called WHACKAMOLE.EXE. Panda Software now detects this new trojan by the name of Trojan.NetBus.160. We also detect Trojan.NetBus.153. As with any other trojan it cannot be disinfected so when scanning with Panda Antivirus it will only give the option to delete the offending file.

In regards to WHACKAMOLE.EXE, it is Trojan.NetBus.160 simulated as a game which installs the NetBus v1.60 server (Trojan.NetBus.160) in the system which executes it. It is an auto-extracting file which, at execution, creates the following files in a temporary directory:

  • EXPLORE.EXE: This is the NetBus server itself.
  • WHACK: This is the game that serves as camuflage for the instalation.
  • RUN.BAT: This BAT file executes after extraction of the files in WHACKAMOLE.EXE, and is in charge of executing first EXPLORE.EXE, which automatically copies to the Windows (95/98/NT) system dir, and adds the following entry in the registry:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Name: EXPLORE Data: C:”Windows System Dir”EXPLORE.EXE

With this it ensures that it will run every time the system is booted. In addition it creates a DLL called KEYHOOK.DLL in the same dir, which the NetBus server uses when the client accesses the infected machine.

After this it stays resident in memory, leaving the machine accessible via the NETBUS.EXE client. The attacker/hacker would have to know the IP address of the infected machine in order to gain access to the NetBus server.

Finally, RUN.BAT executes the game WHACK.EXE.

Once a user has detected that either the NetBus or Whackamole file is in his/her system with Panda Antivirus, they have the option of deleting the offending file. Of course the best option is to have Panda Antivirus as a permanent protection for the desktop and for e-mail, which would ensure that the program cannot penetrate the system and be unsuspectingly executed.

This entry was posted in Antivirus Article, Antivirus News, Virus list & description, Virus Protection Tips and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>