Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Netbus.160.W95

Netbus.160.W95

Discovered:
10 September 1998
Updated:
13 February 2007

The Netbus.160.W95.Trojan places a reference in the Windows registry that attempts to load the infected file when Windows starts. This file, which Norton AntiVirus (NAV) detects as Netbus.160.W95.Trojan, is usually named MyComputer.exe, but at least one variant is named Hacker411.exe.



12/3/2002 2:39:19 PM -- Joel Gerstman -- <Outsourcer> -- New Suggestion
Dec. 03, 2002 -- Customer with Win XP clean install (no upgrade from Win98) had Netbus.160.W95. She had \Winnt\keyhook.dll and
Kernei32.exe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Kernei32.exe brings up a
Netbus.W95.Trojan keyhook.dll link on Google.com.
Kernei32.exe is also associated with the W32.Yarner.A@mm in the Security Response Write-Ups

Antivirus Protection Dates

  • Initial Rapid Release version 10 September 1998
  • Latest Rapid Release version 05 August 2018 revision 019
  • Initial Daily Certified version 10 September 1998
  • Latest Daily Certified version 05 August 2018 revision 021
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Netbus.160.W95.Trojan is a backdoor Trojan horse that allows a hacker to gain unauthorized access to the computer. When it is run, the Trojan is installed on the system, and a reference is added to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This ensures that the Netbus.160.W95.Trojan file is executed when Windows starts. The Trojan remains memory resident and opens a port to allow a hacker to access the computer.

The Trojan can be included in another program, such as a computer game. In this case, the Trojan is executed in the background while the program runs.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

To remove this Trojan, you need to:
  • Run LiveUpdate and then run a full system scan. Delete any files detected as Netbus.160.W95.
  • Restart the computer in Safe Mode, and remove the reference from the registry.
  • Run another full system scan with NAV.

Here are detailed instructions. Please follow the instructions in each section.

To scan with NAV:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start NAV, and run a full system scan, making sure that NAV is set to scan all files.
  3. If any files are detected as Netbus.160.W95, write down their locations, and then delete them.

    NOTE: If the file is in use, NAV may not be able to delete it. In this case, choose Ignore, and then go on to the next section.

To restart the computer in Safe Mode
To restart the computer in Safe Mode, follow the steps for your version of Windows. When you finish this, proceed to the next section.

NOTE: In Safe Mode, Windows uses default settings (VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows). You will not have access to CD-ROM drives, printers, or other devices.
  • Windows 95
    1. Exit all programs, and then shut down the computer.
    2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    3. When you see the "Starting Windows 95" message, press F8.
    4. Type the number for Safe Mode, and then press Enter.
  • Windows 98
    1. Click Start, and then click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click the General tab, and click Advanced.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and then wait for the menu.
    8. Type the number for Safe Mode, and then press Enter.
  • Windows 2000
    1. Exit all programs, and then shut down the computer.
    2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    3. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to this: |||||||||||||||||||||||||||||. Beneath this line you will see the text, "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.
    4. Type the number for Safe Mode, and then press Enter.

To edit the registry:
Please follow these steps to remove the entry that the Trojan placed in the registry \Run key:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, look for the entry that refers to the file in which the Trojan was detected. It should look similar to one of the following:
    • If the Trojan was found in the file MyComputer.exe:

      (Default)        "C:\Windows\MyComputer.exe"

      Right-click the entry, press Delete, and then click Yes to confirm.

      NOTE: In some cases, this will not be the only value that begins with (Default). Make sure that you select the correct one. If you select the (Default) entry that indicates (value not set), you will not be able to delete it (this is by design).
    • If the Trojan was found in Hacker411.exe:

      Hacker411        "C:\Windows\System\Hacker411.exe"

      Right-click the entry, press Delete, and then click Yes to confirm.

      NOTE: The path to \Hacker411.exe may differ.
  5. Exit the Registry Editor.

To run a full system scan:
To be sure that there are no other infected files on the computer, run another full system scan. If you were not able to delete the Trojan during the initial scan, you will be able to do so now.

(Optional) Windows 98 users only
If you used the Microsoft System Configuration Utility to enable the startup menu, you can now disable it. Please follow these steps:
  1. Click Start, and click Run.
  2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
  3. Click the General tab, and click Advanced.
  4. Uncheck Enable Startup Menu, click OK, and then click OK again.
  5. Restart the computer.


Writeup By: George Koris