Signature Detail

TROJAN: NetBus Server Response on TCP/12346

This signature detects TCP packets sent from local server port 12346 to a remote port. This can indicate the system is responding to an attacker confirming successful installation of the Trojan Netbus. Netbus, a remote administration Trojan similar to Back Orifice, allows attackers to access data and gain control over some functions on remote Microsoft Windows systems.

Extended Description

Netbus is a Trojan that allows an attacker to take control of the infected computer. It notifies the attacker by e-mail of the Internet Protocol (IP) address of the infected machine.

References

• CVE: CVE-1999-0660
• URL: http://www.juniper.net/security/auto/vulnerabilities/vuln66.html
• URL: http://vil.nai.com/vil/content/v_98024.htm
• URL: http://secunia.com/virus_information/2497