NetBus - Backdoor For Win 95/98 and Win NT

Information and Download about/ of NetBus 2.01 Pro here!

The "NetBus-Story" - an introduction

NetBus is a  "Trojan Horse"), which has a similar functionality than "Back Orifice". That means, it opens a "Backdoor" to a PC, so that everybody can acces your PC from the network without your notice. NetBus is much more userfriendly than Back Orifice. It was programmed by a Swedish guy called Carl-Fredrik Neikter, who published the first version mid of March 1998. Up to today there are several versions: Versionen 1.60, 1.70 and the latest one NetBus 2.01 Pro vor. All information at this page are valid for NetBus 1.60 and 1.70. Information about NetBus Pro can be found on an additional page.

NetBus - how it works

NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered from version 1.70 and higher the port be configured.
Additional information you find in an original document of the author: Version 1.60 or Version 1.70.
 

NetBus - how to notice and how to fight

The NetBus Server) can be found in the system directory (also: "\win95" bzw. "\winnt") and is started simultaniously with windows. The name of the file differs: With NetBus 1.60 it is named "patch.exe", with "NetBus 1.5x" "SysEdit.exe" and if it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) it's name is "explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus 1.70 and uses the port 12631. Aditionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actaully is "explore.exe" located in the windows directory.
Normally all servers use the same icon: NetBus-Icon.
To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.

You also can delete the NetBus Server using the client programm selbst (which can be downloaded here).  Click "Server Admin" - "Remove Server" To deinstall the server from your own PC enter the name "localhost" or the ip addresse 127.0.0.1.
 

 

NetBus: Legal Stuff, FAQ

Please have a look to this special page - and please read this information, before contacting me via e-mail or ICQ.
 

NetBus - local downloads:

NetBus Program V. 1.60 client + server + info (zip-file)
NetBus Program V. 1.70
 client + server + info
whackamole-game installs the NetBus Server (V 1.53) during the installprocedure (install shield) of the game


Links:

NetBus and other Trojans The original netbus-page (netbus.org) does not belong any longer to C.F. Neikter
BOClean "de-bugs" für Back Orifice and NetBus
NetBuster cleans NetBus and fakes (to be) netbus.
But: There is a program, that fights NetBuster NetBuster Buster.
Additional information in the BUGTRAQ-Database