Netbus paranoia

I was chatting to someone called "Gravedigger" on ICQ - He sent me 2 files, which I virus scanned (Landesk V5.03, pattern file updated Nov'99). The first file was the Netbus trojan, the second was an executable video from his webcam, which Landesk reported clean, so I ran it - It was a video of him waving to his victims as he hacked their PCs (if they'd run the executable with Netbus). Very cool, very funny but VERY annoying.

I reported him to the authorities, copied the files to floppy for evidence (& deleted them) & updated my scanner pattern file.

Now for the weirdest bit: To test the new pattern file, I scanned the floppy & it showed up clean, as did the copy of the files in the Recycle bin.

The scanner still works (I tested it on another infected floppy). My PC is showing no signs of unusual disk or modem activity, so I'm not under attack at present. I can't see anything in the Registry startup bits that might be Netbus (tho' I'm not very familiar with the registry).

Now for the questions:
Would Landesk Realtime protection clean the files as they were being copied?
Is the latest version of the pattern file defective?
Could the video file contain another virus/trojan that hid the Netbus one?
Is there anywhere I can send the files to, to have them checked?

Thanks in advance

LVL 21
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tfewster'lots of questions but they mostly just ask for opinion so here is mine.

"Would Landesk Realtime protection clean the files as they were being copied?"

You can't "clean" netbus, it is a program and it has code to make it work so cleaning isn't really possible.

"Is the latest version of the pattern file defective?"

That doesn't seem likely

"Could the video file contain another virus/trojan that hid the Netbus one"

'Is there anywhere I can send the files to, to have them checked?"

Since Landesk is what you scanned them with that would be your first contact. Any security company would want a look at them if there is code there that they have no defense against.

Now a couple questions for you. You say you scanned them the first time and your software said that one was Netbus, the other was clean. Then you copied them to floppy, ran the scan again and both were clean.  
1) Why would you run a program that you received from a stranger, scanned for virus', found it positive but run it anyway.
2)You say you copied it for evidence, and gave it to the authorities..who are the authorities.
3)What are you really doing?

The reason for continious updates on virus definitions is because crackers are constantly writing and rewriting code. As one set is defeated they write another to exploit and bypass the fix.

tfewster, you're not being paranoid at all. As a matter of fact, I think you've handled this whole thing very well.

On to your questions and then a suggestion or two.

<<Would Landesk Realtime protection clean the files as they were being copied?>>

Normally no. It would isolate the files but it won't kill it without asking first and then it would destroy the entire file including its carrier.

<<Is the latest version of the pattern file defective?>>

I doubt it is defective. Outdated maybe, but not defective.

<<Could the video file contain another virus/trojan that hid the Netbus one?>>

No, as the video relies on a codec for expansion and play. There's no way to wrap the trojan.
<<Is there anywhere I can send the files to, to have them checked?>>

Yes, you can send them to:

I would investigate using something a bit stronger than Landesk though!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tfewsterAuthor Commented:
Thank you for your comments, but I'm still worried about why my scanner (now using a January 2000 pattern file) doesn't detect the Netbus trojan since I updated it. I will contact Norton (who update the pattern files) about that.

Mrbreeze - Point taken about Netbus being a trojan, not a virus.
1) Gravedigger told me the files were funny video clips. I didn't run the trojan, I ran the video executable. My scanner reported it clean, but I'm now concerned it may have a later virus in it than my (November'99 - Now updated to JAnuar ) pattern file could detect.
2) I reported Gravedigger to ICQ tech support, to at least get him booted off the service. The UK Computer Crime squad will take action against hackers if they have evidence, which is why I copied the files & chat logs to floppy.
3) I may be dumb but I'm not doing anything sinister!

Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?

I've never had to disinfect a Windows 98 PC before, so I would appreciate some guidance, e.g. how do I get 2.2Mb of pattern file onto a diskette so I can boot from a clean floppy & scan?
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

This site has an online virus scanner that can scan any drive you tell it to.

As I stated before Netbus is a program even though so many use it for wrong reasons it was designed for remote administrative functions. If your definition isn't recognizing it I would strongly recommend another scanner.

Dennis can answer for himself but I think it is safe to say that he was not saying the video could not be harmful but more specifically it could not do what you were asking which I would have to agree with.

Putting 2.2mb onto a floppy is of course not possible. Only if you could compress the data into 1.44 could you put it onto a floppy. There are ways to format it to hold 1.68 or so but I don't think that really is the problem.
Scanning the disk you put the original files onto or scanning your entire machine can be done without the boot from disk.

Oh BTW since Dennis posted his response as a question you need to evaluate the answer and either accept it or reject it. As long as it is still posted the question is locked and others can't see it to offer any input they might have.

<<Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?

If the file is, indeed, and executible, then it can be most anything. However most true video files rely on a codec of some sort in order for them to be played. An example would be XYX.AVI.

If what he sent you was a gif display or something else, into which was imbedded a trojan and if that display arrives in its own container (executible) and could wreak havoc on a system.

If you are using Norton, and its database is current, it should have fund the trojan and isolated it.

Mrbreeze, I posted a response in the form of a proposed answer to a specific group of questions. I did not ask any questions.

Wrong word "posted his response as a question"
Should read "posted his response as an answer"
Sorry                       Mrbreeze
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.