my PC accessed the internet 20,000 times on Friday while I was on vacation... I came back today and was told this. I asked them for more information but they clearly did not tell me anything.. I asked them over what port, what IP etc.. they didn't know.

I am running a scan right now for worms, trojans and bots... virii... etc....

Will be updating my firewall, and making sure this doesn't happen again. I think they nearly shit their pants LOL
:D The IT guy was shaking when he came to talk to me LOL But he was friendly and even spoke in English which he rarely does.

Oh, to the world of the internet.

Think I found the cause:
see attachment :(

Gladiator AV doing a fine job at finding the nasty virii that hopped into my temp files :D

Hehe...they'll do that... :p

Information about the Netbus trojan virus:
Netbus is a Win32 based Trojan program. This trojan can affect Windows 95, Windows 98 and Windows NT systems. Netbus trojan needs to be executed by the user for it to be installed. Once executed by the user it will install itself in such a way that it will be active all the time. Netbus adds an entry to the Windows Registry to achieve this. The presence of Netbus installed in the computer will not be evident to the affected user. There are 3 versions of Netbus and the size of these trojan files are;

Netbus Ver 1.5 is 473,088 bytes.
Netbus Ver 1.6 is 472,576 bytes.
Netbus Ver 1.7 is 494,592 bytes

You will not get infected by Netbus merely by downloading the file or receiving it by email. You will have to execute it to get infected.

Netbus is a remote administration trojan program similar to BackOrifice. While you are connected to the internet, if this program isrunning on your computer anyone from anywhere who has got the Netbus Client program can sneak in to your computer without your permission or knowledge.The remote hacker can get any information from your computer including your passwords. He can execute programs in your computer, copy files, read your email, plant other trojans or viruses, monitor the key strokes youtype, control your mouse and a lot more. This will cause a serious security risk to the affected user.

Netbus Ver 1.5 first appeared in March 1998, Ver 1.6 in August 1998 and the Ver 1.7 in November 1998. Each version is reported to have affected a lot of users.

So how do you remove it? Is there a simple method? Is there a way to tell if you've been infected?

GAV took care of it automatically after I clicked remove :D

Found this pretty useful site about NetBus Detection and Removal (http://www.hackfix.org/netbusfix/).

thanks for that. Just in case I'll give it a shot.
:D

As every old sailor can tell you, it is important to protect yourself when you go on liberty. You have to watch where you go on vacation. :D

Well I am glad they just caught it. :D Now I have to play clean up and make sure nothing like this ever happens again.

Well, let me tell you.
Maybe you all noticied that I had been out of TZ for a while, even thought I had been an active member for some weeks straight.
I am wondering if BB works in my company, because Last Montday I detected a virus. A worm, with back door cpabilities. Man, that is nasty. This one spread thru network neighboorhood like guinea pigs in Spring :p
I spend all week just catching the little $^&#, and still haven't finish. Thought nnow almost every single PC has AV installed (That will teach my boss to give me more budget for essential programs:p )
I even lost 5 pounds running around. So you are lucky the TS guys asked nicely. Instead I became the dog of the net, and I didn't care who was working with what and shutdown all network until I thought it was safe to put it back online :D
I love being the mean guy ;)
Seriously, this things will crawl where you least expect them, and spread soo fast

I download a software app called Pagegate as I was trying to help a member of TZ with a problem. They wanted to setup their own SMS gateway and I was trying to help them find a working solution..

Well I got that Pagegate software from a source, now which i have forgotten, and it had that stupid backdoor netbus installed with it...

http://www.topshareware.com/PageGate-download-253.htm

That is the software but I got it from another source....

http://www.techzonez.com/forums/showthread.php?s=&threadid=5095&highlight=sms%2A+gateway

That shows the source.. so don't install that Pagegate software it has a trojan. I am going to post an update in that thread.

I will no longer install software on the fly without scanning it first, no matter how reliable the source :D

And the IT guy was nice, which I was thankful for. If he wasn't well, I might've decided to DoS his service for a couple days, after I figured out how to do it :D j/k

Supastar,
That link you gave me to clean the Netbus Backdoor, was helpful. It guaranteed that I don't have it. As I looked through the registry and the key with the /nomsg was not to be found!

Thanks.

Originally posted by Big Booger
Supastar,
That link you gave me to clean the Netbus Backdoor, was helpful. It guaranteed that I don't have it. As I looked through the registry and the key with the /nomsg was not to be found!

Thanks.

NP BB. I checked ou my registry too...no /nomsg luckily :)

Nothing ever gets executed on my PC without first being scanned by NAV. Not even the smallest 2KB app ;)

I quickly learn from my mistakes...

I had my laugh above. That was before I discovered that I also had a problem.

In trying to assist Lynchknot with his website issue, I installed 1stPage on my computer from an old disk. It turned out to contain a trojan called JS/Loop. AVG and SwatIt had not found it.

After an uninstall/reinstall/update of AVG it immediately found the trojan. Somehow it had been turned off. When or how is the question. I'm reassessing my AV protection.

After Conan's comments and a little extra research, I am going to pay for a registered copy of Trojan Hunter. I still haven't decided on my main AV program. I have used the free AVG for over a year and have been happy with it, until now. Sorry Donna, I just don't like the interface for GAV. I also don't like Norton and Mcaffee. More thought is called for.

By the way, I found the original problem by installing SiMeeter. It revealed system activity when there shouldn't have been any.

I'm open to suggestions.

I hate trojans. they disgust me. I want a program that runs in the background like a screensaver, uses little resources and hunts this crap without doing a "scan" scanning eats up resources and takes too long :D

Takes long?? What do you think about 5 hours scannig (and scanning alone) for my system? :p That was a pain, I only do a full scan once a year:D I don't have time to install apps, so it is less likely to get something weird without being detected ;)
BB, is it possible that you could find out which program they were using to monitor the users activity at your work?.
I think it could be a posibility for my old post about Internet usage in the LAN. I haven't completely find a solution to that yet, thought after discovering the worm, probably that was causing the lags.
So I am interested into setting up a system that can detect this issues faster

a full scan for me takes 1.5-2 hours. 5, would be totally unacceptable :D

I think it would be impossible for me to find out what they are using to monitor the network activity and this is why.

I think they think I am a network hacker and I did this. The IT guy hasn't come by and said a word since then. So I am guessing they think I was responsible. Which I wasn't but that doesn't matter to them. So if I were to ask them what program they use to monitor network traffic, that definitely would set me in their sites as the culprit :D

I'd say you either have a heavy downloader on your LAN, or you have a backdoor that is causing the traffic. Could be a DDoS bot sending out packets.. or something like that.

Why not set up NAV corporate? It has clients and server and would be a great way to detect virii on your network.

Another thing you could try is to block all ports except for essential ports that you use on your network, port 80, 21, and any other port that is necessary. You can setup rules using hardware firewall (a p1 or p2 machine with Linux works fine). That would effectively stop any file traders if there are any and may stop a bot too. But then you'll have users complaining they can't do this and that because the ports are blocked :D

Have you sent out a memo warning them yet? That often times is a very effective means of stopping anyone who is using the network inappropriately.

Well, you wouldn't believe my users :p
I have NAV corporate. Actually I almost finished updating the whole network. It is really a pain, since the login script won't work unless you have Admin rights (NAV 7 we use)
But this doesn't stop heavy users, only virus and worms.
Then about the ports. We use a proxy server, over which I have no control at all. Only one port open. From the proxy also sites are filtered.
But that doesn't stop stubborn users that think that the bandwith can be used to listen to streaming radio, or even watch streming news:(
Can you imagine how bad was the speed when the war with Iraq Erupted?? I had a lot of users going to CNN and watching the news. I even found 4 computers with the same news on at the same time in the same office. Reason?? To have a better sound!!!!:o
Man, they made me mad, I went and in front of them I turned off every PC, and told them if when I reached my PC I still couldn't connect to YAHOO.COM I would disconnect their computer from the swtich. I earned a very bad reputation around :D But I sent 3 warning email to the whole company.
They stopped, since I actually had 2 disconnected that day. It was very funny because all apps are hosted in the servers, and I disconnected them before going home, so they couldn't enter time for employess (they were supervisors) and update tables :p I had half of the Directors chasing me, including my boss, but when I explaing to him he was on my side (because the EXECUTIVE DIRECTOR complained that he could not log to report web site). That was very great time in my life. I love being the BAD COP :p
Then I have another user that I cannot make her stop listening to streaming radio. I had talked with her 5 times personally about it. She doesn't understand the consecuences. She thinks if the radio doesn't skip everything is fine. Gosh, buy a 20$ radio and take it to the office. IT is even a local station :p
And all this, the windows media web page is block in the proxy as most radio station sites :p
Some people never learn.
But if I had statistic for this users and I taked to them, I would have a hard evidence, and them I could be more strict.
Boogs, do you want to be in my network???:p
At least I am confident that none of the users are hacking, they are too dumb for that. They do instead delete a lot of server files by mistake, panic if their monitor is off, not know the difference between shutting down and loggin off, and even try to open Excel files with Word and complain the computer doesn't work:D

I think there are some programs out there that give you complete control over the user's desktop :D

If I stumble upon them I'll let you know.
:D

A lot of new worms and virii when infect your computer actually disable or bypass your AV program. SO you suspect symptoms of trojans etc, should check for files or registry settings - dont take your AV or firewall for granted, cos it might be bypassed!

Gee Dehc, your are soo harsh at work :P My excuse is I dont have the Bandwidth at home for my SuperNode status of Kazaa :biggrin: LOL

I did like the idea of having 4 comps tuned into CNN for surround sound edition of Iraq war updates... I would have been laughing so hard... I would expect them to have 5.1 comps running LOL DTX digital... :p Sorry, I cant stop laughing...

Seriously, I came across a few files at Uni that were infected with Klez... what are the processes that you have at work to deal with such violent worms ??

Originally posted by Big Booger
I think there are some programs out there that give you complete control over the user's desktop :D

If I stumble upon them I'll let you know.
:D


hey its called win2k or xp pro.:p just use the user profiles, and rights then you can lock it up like fort knox.

yeah the profiles do it, but there are other programs that you can install over a network that take care of it for you. So he doesn't have to go to each and every computer and set the rules and policies up :D

Fartbag.

:p

well, profiles are nice, but them....how do I use them?? :p
Funny question, but with some true. I think I know only the basics, and that I could configure them much more.
Nonetheless, the servers are NT4, which has its big limitations.
Also, none of the users have other rights but "domain user", only the TS department is given more access (administrator). And for some users I even decrease the level t which the can access shared files, for example I downgraded the access for a user that deleted 2 folders. I have baCK UPS, but I don't like working extra ;)
My poor users don't have much privileges, but actually if it was for me, most of them woudl have less even, and the TS department could work in more prioritized stuff.
Cash the worm we got was LovGate G, it spreads thru email and network neighborhood (that was made it difficult to completely kill), It is a backdoor type.
We got Klez (2 varieties) in a network that we were taking care of. I had recomended the use of FIREWALL and AV for 4 months before they got the attack, with no luck. After that they got it, not to mentioned the cost they incurred in technician, since I had to call the experts ($$$) and we spent from 11 AM until 2 AM next day. That network was a mess. The guest user was enabled, and with administrator rights, we had to cut their internet because it brought down the router (CISCO) with too much I/O, and it ate all bandwith (a full T1). The worst damage was that the hacker changed the Exchange server name in the Domain controller. Teorically, that is impossible, since Exchange was in the server category. I don't have to mention the Active directory was corrupted, right? We could not revert that, so the users weren't able to access email. Deleting and re-creating would not work. Finally we deleted, did a restore of the Active Directory in the Domain controller and formated Exchange server 4 times since it wouldn't synchronize accounts permitions with the Domain controller. That is a GREAT experience!! SERIOUSLY!!!!!:D
You don't get to deal with this kind of problem often (unless you work for a support consultant company, and earn $150 and hour ;) ) And besides, if they had done what I suggested (consistenly many times) it wouldn't happen. After all my job is to avoid this things

This information may have already been posted on TZ. I hope not. Yesterday, TechTV reported that we are seeing more trojan takeovers of private computers. It was stated that spammers, are becomming the primary attackers. By taking over individual computers, they have a vehicle to get their email through the system.

TechTV also stated that the target of an attack may find, that ISPs block all email from their computer. The target may not be able to get their own email to addressees until all parties know that it is no longer a spam producer. That could take days.

I hate, repeat hate spammers and virus attackers. I am ready to bypass fines and jail time and go straight to the death penalty.