Know anything about Trojan Horse???
If you think Trojan Horse is something from the new Brad Pitt's movie called Troy, you are close. They have a rather similar concept and function. But what I mean in this blog is that Trojan as in for taking over someone else's computer over the Internet.
Here I'll share some information I know about it. Maybe too little, but I think it's ok since I'm still a newbie in this Internet world. But first I want to let you all know that I have never experienced my computer taken over by someone else, so you may believe my blog or just take it as a useless information. It's your decision.
Now let's begin, I'll try to give some background information on two well-known Trojan Horses. The first one is called Back Orifice... the second one NetBus. Besides talking about what you can do against these two "viruses" (I'm not sure if virus is the correct word for BO or Netbus, but to keep this blog easy to read I'll use that word) the question remains what other unknown viruses or Trojan Horses might be running on your system without you knowing? I'll give examples of detecting the Trojans, but these are for older versions of the trojans only. Currently there are so many versions of Back Orifice (BO2K) and NetBus (NetBus 1.2, 1.53, 1.60, 1.70, 2.0 Pro, 2.01 Pro ...) trojans. And, besides NetBus and Back Orifice there are many more trojans we will not mention in the rest of this document because it would simply become to difficult to read. A few of them are: Attack FTP Installer ; BackDoor ; DeepBO ; Executor ; FTP Trojan ; FTP99 ; Happy99 ; NetMonitor ; SubSeven etc.
Should you panic? Personally, I don't think so. I have been on the Internet quite some time now and there are some things you should just keep in mind and be careful. My motto is "better safe than sorry" so what I don't do is, for example, accept files from people on IRC. The first thing I do when I try some sort of new Internet application is to turn off all auto-accept options. I want to keep in control. I do not open email attachments I do not trust. Just to be sure I scan the email attachments I do trust first, before opening it.
As an example to what trojans can do on your system, here are a few of the capabities of Back Orifice 2000:
-Rebooting, locking up system, listing of passwords etc.
-View and edit the registry (create a key, set a value, get a value, delete a key, delete a value, rename a key, etc.)
-List directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes.
-Display a message box.
-Logging keyboard activities, operations with log file: view, delete.
-Adding and removing network shares, mapping of shared devices, listing of active connections etc.
-Playing WAV files.
These are just a few things I do as a precaution. Who can you trust? That's hard to answer, maybe it doesn't even have to do with trust. Somebody you know might have a virus on his/hers system without him/her knowing it. When he or she uploads something to you, you might have it too. Another good example: I needed information about a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it contained a macro virus. I discovered it on time, because I'm careful. That's probably the most important thing you can do against viruses.
Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door" is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other people, who can then do virtually anything on your system, including deleting files. As said before, once a system is infected, the one accessing your PC can do virtually anything, possibly even turning on your microphone and listen to what you are doing!
Some versions of the trojan horse report the IP address of a PC, once connected to the Internet, on an IRC channel. Other methods used are port scanners, which scan a range of IP addresses/ports to find a PC which has "the backdoor open". Not all versions of the trojan horses are accessible by anybody with a client, some are even "customized" with password protection, which means that if a system is infected, it can only be accessed by the person who has the password.
If you want to find out if you are infected by one or more trojans, what I recommend most is to search for information on trojans on the Internet at companies such as McAfee, Symantec and DataFellows. They usually have very good info about trojans and viruses.
I heard and read about a few methods on how you can possibly find out if you are "infected" by Back Orifice or Netbus. Note that these detection hints are for older versions of NetBus and Back Orifice only (not for example for Back Orifice 2000 or BO2K !). If you run these tests and don't find anything suspicious, this doesn't mean you are not infected. The following methods are just a few suggestions you can try, and do not guarantee anything. You should try the following methods at your own risk.
1. Netbus might be found with telnet. Open a dos box and type:
telnet 127.0.0.1 12345
telnet 127.0.0.1 12346
Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system is infected with Netbus.
2. For both Back Orifice (old version) and Netbus (old version) there is another possible way to find if you are infected with one of them. Close all your applications, especially those who point to network-shares. Open a DOS box and run the following command:
netstat -an|more
Back Orifice possibly replies with:
UDP 0.0.0.0:31337 *:*
NetBus possibly replies with:
TCP 0.0.0.0:12345 *:*
TCP 0.0.0.0:12346 *:*
Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious.
3. You can try looking in your system registry with regedit (recommended for advanced users only!) and take a look at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.
"Finding Your Back Orifice" is a site which shows screenshots of an infected system registry and a clean system registry.
4. If weird things start happening on your system, for example: missing files/directories, suddenly opening and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.
5. Back Orifice: Another method of finding out if your system is infected by BO (older version) is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's there you are possibly infected.
Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the trojan horses itself. For that reason you have to be very careful which removal application you are going to use.
What I recommend most, again, is to use a well-known brand virus scanner which can detect and remove viruses like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure! Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month. PC Help is a site which also shows some methods how to remove Back Orifice from your system.
Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure to read the complete instructions of the application before you use it).
-BackWork
-The Cleaner
-McAfee VirusScan
-F-Secure Anti-Virus for Windows
More applications and tools for detecting and/or destroying Trojan Horses can be found in the MPSmits.Com freeware & shareware area: Security: Anti Trojan Horse, Security: Anti-Virus Software, and for those of you who are looking for protection against winnukes visit Security: Anti Winnuke.
Here I'll share some information I know about it. Maybe too little, but I think it's ok since I'm still a newbie in this Internet world. But first I want to let you all know that I have never experienced my computer taken over by someone else, so you may believe my blog or just take it as a useless information. It's your decision.
Now let's begin, I'll try to give some background information on two well-known Trojan Horses. The first one is called Back Orifice... the second one NetBus. Besides talking about what you can do against these two "viruses" (I'm not sure if virus is the correct word for BO or Netbus, but to keep this blog easy to read I'll use that word) the question remains what other unknown viruses or Trojan Horses might be running on your system without you knowing? I'll give examples of detecting the Trojans, but these are for older versions of the trojans only. Currently there are so many versions of Back Orifice (BO2K) and NetBus (NetBus 1.2, 1.53, 1.60, 1.70, 2.0 Pro, 2.01 Pro ...) trojans. And, besides NetBus and Back Orifice there are many more trojans we will not mention in the rest of this document because it would simply become to difficult to read. A few of them are: Attack FTP Installer ; BackDoor ; DeepBO ; Executor ; FTP Trojan ; FTP99 ; Happy99 ; NetMonitor ; SubSeven etc.
Should you panic? Personally, I don't think so. I have been on the Internet quite some time now and there are some things you should just keep in mind and be careful. My motto is "better safe than sorry" so what I don't do is, for example, accept files from people on IRC. The first thing I do when I try some sort of new Internet application is to turn off all auto-accept options. I want to keep in control. I do not open email attachments I do not trust. Just to be sure I scan the email attachments I do trust first, before opening it.
As an example to what trojans can do on your system, here are a few of the capabities of Back Orifice 2000:
-Rebooting, locking up system, listing of passwords etc.
-View and edit the registry (create a key, set a value, get a value, delete a key, delete a value, rename a key, etc.)
-List directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes.
-Display a message box.
-Logging keyboard activities, operations with log file: view, delete.
-Adding and removing network shares, mapping of shared devices, listing of active connections etc.
-Playing WAV files.
These are just a few things I do as a precaution. Who can you trust? That's hard to answer, maybe it doesn't even have to do with trust. Somebody you know might have a virus on his/hers system without him/her knowing it. When he or she uploads something to you, you might have it too. Another good example: I needed information about a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it contained a macro virus. I discovered it on time, because I'm careful. That's probably the most important thing you can do against viruses.
Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door" is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other people, who can then do virtually anything on your system, including deleting files. As said before, once a system is infected, the one accessing your PC can do virtually anything, possibly even turning on your microphone and listen to what you are doing!
Some versions of the trojan horse report the IP address of a PC, once connected to the Internet, on an IRC channel. Other methods used are port scanners, which scan a range of IP addresses/ports to find a PC which has "the backdoor open". Not all versions of the trojan horses are accessible by anybody with a client, some are even "customized" with password protection, which means that if a system is infected, it can only be accessed by the person who has the password.
If you want to find out if you are infected by one or more trojans, what I recommend most is to search for information on trojans on the Internet at companies such as McAfee, Symantec and DataFellows. They usually have very good info about trojans and viruses.
I heard and read about a few methods on how you can possibly find out if you are "infected" by Back Orifice or Netbus. Note that these detection hints are for older versions of NetBus and Back Orifice only (not for example for Back Orifice 2000 or BO2K !). If you run these tests and don't find anything suspicious, this doesn't mean you are not infected. The following methods are just a few suggestions you can try, and do not guarantee anything. You should try the following methods at your own risk.
1. Netbus might be found with telnet. Open a dos box and type:
telnet 127.0.0.1 12345
telnet 127.0.0.1 12346
Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system is infected with Netbus.
2. For both Back Orifice (old version) and Netbus (old version) there is another possible way to find if you are infected with one of them. Close all your applications, especially those who point to network-shares. Open a DOS box and run the following command:
netstat -an|more
Back Orifice possibly replies with:
UDP 0.0.0.0:31337 *:*
NetBus possibly replies with:
TCP 0.0.0.0:12345 *:*
TCP 0.0.0.0:12346 *:*
Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious.
3. You can try looking in your system registry with regedit (recommended for advanced users only!) and take a look at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.
"Finding Your Back Orifice" is a site which shows screenshots of an infected system registry and a clean system registry.
4. If weird things start happening on your system, for example: missing files/directories, suddenly opening and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.
5. Back Orifice: Another method of finding out if your system is infected by BO (older version) is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's there you are possibly infected.
Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the trojan horses itself. For that reason you have to be very careful which removal application you are going to use.
What I recommend most, again, is to use a well-known brand virus scanner which can detect and remove viruses like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure! Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month. PC Help is a site which also shows some methods how to remove Back Orifice from your system.
Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure to read the complete instructions of the application before you use it).
-BackWork
-The Cleaner
-McAfee VirusScan
-F-Secure Anti-Virus for Windows
More applications and tools for detecting and/or destroying Trojan Horses can be found in the MPSmits.Com freeware & shareware area: Security: Anti Trojan Horse, Security: Anti-Virus Software, and for those of you who are looking for protection against winnukes visit Security: Anti Winnuke.
posted by Raysa @ 11:09 AM
0 Comments:
Post a Comment
<< Home