Home | About Us | Contact Us | Threats to your Security on the Internet | Products | Support | Online Store

RCT's & RAT's
What are they?
How do I detect them?
How many are there?
What ports do they use?

How do I Remove?
Acid Shivers
Acid Shivers (modified)
Back Orifice
Baron Knight
Big Gluck
Blade Runner
Deep Back Orifice
Delta Source
Doly Trojan
Deep Throat
Deep Throat v2
Executer v1
Executer v2
Hack 'a' Tack
Master's Paradise
NetBus 2 Pro
Sockets 'de Troie
SubSeven (Sub7)
Whack-a-mole (NetBus)

Additional Resources
Latest News
Recommended Books
Recommended Links
Recommended Software


NetBus currently affects Windows 95/98 PC's and Windows NT PC's.

The "server" portion (typically named "patch.exe") is approximately 470kb in size.

Ports 12345 and 12346 (by default) are used to establish its connection between the "client" and "server".

Once installed, it is rerun every time the computer is started by means of an entry under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" branch in the Registry.

Who is Responsible?

NetBus was written by Carl-Fredrik Neikter (cf@trancometer.se), a Swedish programmer. And although unsure of what Carl's intentions were when he created it, he states that it was created purely for fun.

Below are some of the functions that NetBus offers:
- Open/close the CD-ROM once or in intervals (specified in seconds)
- Show optional image. If no full path of the image is given it will look for it in the Patch-directory. The supported image-formats is BMP and JPG.
- Swap mouse buttons - the right mouse button gets the left mouse button's functions and vice versa.
- Start optional application.
- Play optional sound-file. If no full path of the sound-file is given it will look for it in the Patch-directory. The supported sound-format is WAV.
- Point the mouse to optional coordinates. You can even navigate the mouse on the target computer with your own!
- Show a message dialogue on the screen. The answer is always sent back to you!
- Shutdown the system, log off the user etc.
- Go to an optional URL within the default web-browser.
- Send keystrokes to the active application on the target computer! The text in the field "Message/text" will be inserted in the application that has focus. ("|" represents enter).
- Listen for keystrokes and send them back to you!
- Get a screen dump! (should not be used over slow connections)
- Return information about the target computer.
- Upload any file from you to the target computer! With this feature it will be possible to remotely update Patch with a new version.
- Increase and decrease the sound-volume.
- Record sounds that the microphone catch. The sound is sent back to you!
- Make click sounds every time a key is pressed!
- Download and deletion of any file from the target. You choose which file you wish to download/delete in a nice view that represents the hard disks on the target!
- Keys (letters) on the keyboard can be disabled.
- Password-protection management.
- Show, kill and focus windows on the system.

Provided below, is a picture of what the "client" portion of the software looks like. It's what the remote user would use to control your system. What could be easier than "pointing and clicking" your way through another users PC?

NetBus GUI screenshot

How to Remove

Several steps involve working within the Windows 95/98 or Windows NT registry. And although the steps are easy, I cannot be held responsible if a mistake is made. Please use caution.

Step 1.
type REGEDIT and hit ENTER

Step 2.
In the left window, click the "+" (plus sign) to the left of the following:

Step 3.
In the right window, look for a key that loads a file called "patch.exe".

If you do not find a file called "patch.exe", it means that the server portion was renamed to something else.

What you will need to do, is open Explorer and go to the WINNT\SYSTEM32 directory (if using NT) or the WINDOWS\SYSTEM directory (if using Windows 95/98).

Find each of the files that were referenced within the right window of regedit.

When you find the file that's approximately 470kb in size. You've found the renamed server portion of NetBus.

Step 4.
Now, open a DOS window and change to the WINNT\SYSTEM32 directory (if using NT) or the WINDOWS\SYSTEM directory (if using Windows 95/98).

Step 5.
From within the appropriate directory, type "patch.exe /remove" (without the quotes) and hit ENTER and exit the DOS window.

If the file is determined to be have been named to something different, type whatever the name is with the "/remove" switch.

Step 6.
Go back to Registry and refresh the view. In the right window you should observe that the entry used to previously launch the server portion has been deleted.

Step 7.
Exit the Registry

Step 8.
Go back to Explorer and refresh the view. Find and delete the "patch.exe" file (or whatever it might be named).

Congratulations, NetBus has been removed from your system.

While Commodon Communications does not participate in or condone the activities of hacking. We recognize the need to educate persons who express an interest so they can better identify the activities associated and to better protect themselves and/or their organization. If you're interested in purchasing software for the purpose of learning the subject of hacking and Internet Security click here to visit our online store.

    © Copyright Commodon Communications. All rights reserved.