|
Products
|
Code: p309 Severity: Warning
Description: This event is generated when the victim confirms the connection request sent by the attacker using the NetBus Pro 2.0 trojan. Impact: Possible theft of data and control of the targeted machine. This Trojan also has the ability to scan machines and networks for open ports, it can also redirect legitimate traffic to other destinations. It can turn the infected host into an open proxy server. Corrective: The manual removal of this Trojan should only be attempted by an experienced Windows system administrator. Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. Affected registry keys are: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry keys added include: Netbus Server Pro PATCH "C:\windows\patch.exe /nomsg" - note: the entry may not necessarily be called PATCH NetBuster = "" SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y" Rundll32 = "rundll.dl_ /noadd" Rundll = "regedit /s nbsetup2.reg" Later versions may also add one of these registry entries: HKEY_LOCAL_MACHINE/SOFTWARE/UltraAccess Networks/NetBus Server/ HKEY_CURRENT_USER/NetBus Server/ These entries should be deleted. The files rundll.dl_ (note the underscore, this is important) and nbsetup2.reg should be deleted if they exist. Ending the process is necessary. A reboot of the infected machine is recommended.
|
