AUSCERT External Security Bulletin Redistribution
                 ESB-1999.030 -- CIAC Security Advisory J-32
   Windows Backdoors Update II: NetBus 2.0 Pro, Caligula, and Picture.exe
                                01 March 1999


The U.S. Department of Energy Computer Incident Advisory Capability has 
released the following bulletin concerning a number of Windows 9x and 
Windows NT operating system Backdoor programs which have been recently 
distributed on the Internet.  These 'backdoors' may allow remote users to 
gain privileged access to system upon which they are installed; or could 
lead to a compromise of security and the transmission of sensitive data 
over the Internet.

- --------------------------BEGIN INCLUDED TEXT--------------------



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___

                             INFORMATION BULLETIN

                          Windows Backdoors Update II:
                   NetBus 2.0 Pro, Caligula, and Picture.exe

February 26, 1999 21:00 GMT                                       Number J-032
PROBLEM:       The new version of NetBus is not distributed as a backdoor, but 
               as a "Remote Administration and Spy Tool."  Also included is 
               information about the Picture.exe trojan and the Caligula macro 
PLATFORM:      Windows 9x and Windows NT operating systems. 
DAMAGE:        NetBus 2.0 poses a significant risk with its new functionality 
               and enhanced network communication obfuscation. The Picture.exe 
               trojan and the Caligula macro virus could lead to a compromise 
               of security and transmission of sensitive data over the 
SOLUTION:      If you find that NB2 has been installed on your machine without 
               permission use the registry key value to locate and delete the 
               file. Most anti-virus softwares are updated for the Picture.exe 
               trojan and the Caligula macro virus. 
VULNERABILITY  Risk of receiving malware over the internet is very high. You 
ASSESSMENT:    should NEVER run any program sent to you from untrusted 
               sources. Don't run any program sent to you via e-mail unless it 
               is digitally signed. The sender's address can easily be 
               spoofed. Be very careful of programs downloaded over the   

[  Start ISS Advisory  ]

ISS Vulnerability Alert
February 19, 1999

Windows Backdoors Update II:
NetBus 2.0 Pro, Caligula, and Picture.exe


This advisory is a quarterly update on backdoors for the Windows 9x and
Windows NT operating systems. The focus of this advisory is NetBus 2.0
Pro. The final version of NetBus 2.0 Pro was released on February 19. The
new version of NetBus is not distributed as a backdoor, but as a "Remote
Administration and Spy Tool." Due to the proliferation of NetBus
and its common use in attacks across the Internet, NetBus 2.0 poses a
significant risk with its new functionality and enhanced network
communication obfuscation.  The default installation of NetBus 2.0 Pro
(NB2) does not hide itself from the user, but it does support an
"Invisible Mode" to prevent users of infected machines from noticing the
software. The version of NB2 available on the Internet notifies users upon
installation, however attackers can easily hide the installation with
slight modification.

This ISS X-Force Security Alert also includes information about the
Picture.exe trojan and the Caligula macro virus, since the presence
of either of those on your system could lead to a compromise of security
and transmission of sensitive data over the Internet.

NetBus 2.0 Pro Description:

NB2 includes enhanced functionality, including the ability to find cached
passwords, full control over all windows, capturing video from a video
input device, a scheduler to run scripts on specified hosts at a certain
time, and support for plugins. Plugins will enable programmers at add
functionality to NB2, similar to the architecture provided in the cDc
BackOrifice backdoor.  The only plugin currently available is a
file-finding utility that searches a victim's hard drive for files.

By default, NB2 listens on TCP port 20034, but this is easily
configurable. NB2 uses a weak form of encryption to obfuscate its
communications, but the format of its packets makes it easy to spot NB2
traffic. Each packet starts with 'BN', followed by the following sequence:

- - - - - - Two bytes representing the length of the packet.
- - - - - - Two bytes of 0x02 or 0x00, probably for the version of NetBus.
- - - - - - Two random bytes, probably to confuse people.
- - - - - - Two bytes for the command code.

For example:

42 4E XX XX 02 00 YY YY ZZ ZZ ...data...

XX XX is the length of the whole NetBus 2.0 packet
YY YY are just two random bytes
ZZ ZZ is the command code

The first 2 bytes are 'BN', the length of the packet is XX XX, and the
version is 0x02.

NB2 stores registry information in the HKEY_CURRENT_USERNetBus Server
registry key. If you have this key in your registry, NB2 may be running on
your machine. To determine the port that NB2 uses, check the value of
HKEY_CURRENT_USERNetBus ServerGeneralTCPPort, and use the 'netstat -an
| find "LISTEN"' command to see if your system is listening on that port.
If NB2 is listening, you need to find the NB2 server executable and delete
it. The default name is NbSvr.exe, but it can be easily renamed.

If NetBus 2.0 is configured to start automatically when your computer
boots, the
registry key will have a registry value called 'NetBus Server Pro' that
specifies the full path for the location of the NetBus executable. Use
the registry key value to locate and delete the file if you find that
NB2 has been installed on your machine without permission.

NetBus 2.0 traffic using the default port can be detected by RealSecure if
you configure it to monitor traffic on TCP port 20034.

Caligula Description:

The WM97/Caligula virus was released by 'Codebreakers', a virus exchange
(Vx) group. This is a Microsoft Word macro virus that steals your Pretty
Good Privacy (PGP) secret key ring and uploads it to a Codebreakers FTP
site. When executed, this virus will open the registry and look for the
HKEY_CLASSES_ROOTPGP Encrypted Fileshellopencommand registry value.
The virus uses this value to find the path to the PGP program. Once it
finds the path to PGP, the virus locates your secret key ring, located in
the secring.skr file. The virus copies this file to a file called
secringXXXX.skr, where each X is an integer from 0 to 7, for example,
secring3150.skr. This file is uploaded to an FTP site at,
or ftp.codebreakers.org, and stored in the incoming directory.

After Caligula runs, it sets the registry value
HKEY_CURRENT_USERSoftwareMicrosoftMS Setup (ACME)User InfoCaligula to
1 (True). You can tell if you have the Caligula virus by looking for that
key in the registry.

An infection by Caligula can be detected by RealSecure if you configure
it to look for FTP connections to

Picture.exe Description:

The Picture.exe trojan horse program has been circulating around the
Internet via an e-mail attachment. If run, this executable will send
information about your Windows NT or 95/98 system to any of several e-mail
addresses in China. The file has also been seen with the name Manager.exe.

Executing or opening Picture.exe places a file called note.exe in your
Windows directory. It also adds the line "RUN=NOTE.EXE" to the win.ini
file so note.exe runs every time Windows boots. The first time that
note.exe runs, it creates a file in your Windows directory called
$2321.Dat. This file contains an encoded listing of all of the files whose
three-letter file name extensions begin with an h, i, m, p, s, or t. ISS
X-Force believes it was the author's intent to get files whose extensions
are .idx, .mdb, .pst, .htm, .snm, .pab, and .txt, because those extensions
show up in note.exe. However, note.exe will list any file whose extension
begins with those letters. Earlier reports indicated that note.exe looks
through a user's web cache directories to determine which web sites the
user visited, but this claim is false. Note.exe looks through all
directories trying to gather e-mail addresses.

The data in the file created by note.exe is encoded by adding 5 to each
character's ASCII code, for example:




The second time note.exe runs, it searches all files for e-mail addresses.
When it finds an address, it encodes and writes the address to a file
called $4135.Dat in your Windows directory. The way that this data is
encoded is by subracting 5 from each character's ASCII code, for example:




After note.exe searches all of the files, it overwrites $4135.Dat with
compressed data, where every host name is only listed once. It encodes the
data by subtracting 5 from each character's ASCII code, and ends each line
with ~X or =~X, where X is an integer. The lines that end in ~X are
usernames, and the lines that end in =~X are host names. Once decoded, the
format of the data looks like this:


Each username is matched with the corresponding host name. In this
example, the e-mail addresses are: root@iss.net, xforce@iss.net, and

The third time note.exe runs, it attempts to send the contents of
$4135.Dat to any of several e-mail addresses. The addresses ISS X-Force
have identified are hongfax@public.szonline.net, chinafax@263.net,
hongfax@public.szonline.net, and chinafax1@263.net.

The trojan tries to connect to various SMTP servers. ISS X-Force has
identified public2.lyptt.ha.cn, public1.sta.net.cn, nenpub.szptt.net.cn,
mail.capital-online.com.cn, public2.lyptt.ha.cn, public.cc.jl.cn,
pub1.fz.fj.cn, public.szonline.net, and mail.nn.gx.cn. The data is Base64

A header detected from an e-mail sent by note.exe is as follows:

From: ab<abreb@hotmail.com>
To: hongfax@public.szonline.net
Subject: A manager software from ZDNet_AU
X-Mailer: Microsoft Outlook Express 4.72
Mime-Version: 1.0
Content-Type: multipart/mixed;

If sending the e-mail succeeds, note.exe will delete $2321.Dat and
$4135.Dat. If sending fails, it will try again the next time note.exe
runs, and keep trying until it successfully sends the e-mail.

Earlier reports also stated that note.exe looks for AOL account
information on your computer, because it reads the MAIN.IDX file in your
AOL directory. ISS X-Force believes that this statement is false. The
program searches the hard drive for .idx files, because it is looking for
e-mail addresses, and Microsoft Outlook uses .idx files for keeping track
of e-mail in your mail folders. On a machine with AOL 4.0 installed,
note.exe does read the MAIN.IDX file in the AOL directory, but the
username and password information is never sent to the e-mail addresses in


It would be difficult to manually search all of your machines to make
sure no backdoors are running, so the best way to protect yourself is
to not run any untrusted binaries. You should NEVER run any program sent
to you over IRC, ICQ, or any other chat medium, as it is quite easy to
spoof or impersonate even trusted users, and you can never tell if the
person sending you the program is who they claim to be. Don't run any
program sent to you via e-mail unless it is digitally signed. It is
trivial to fake the sender's address, and you don't know who actually sent
the e-mail. Also, be very careful when running programs you download from
the Internet or the World Wide Web. Isolating your machines behind a
firewall will help prevent attackers from connecting to any backdoors
installed on your machine, but it may be possible for them to bypass the
firewall if the backdoor is listening on a port that is left open on the
firewall, for example, the port DNS uses for its operations.

If you find yourself infected with the Picture.exe trojan or the Caligula
macro virus, you should run an anti-virus program to get rid of it.

For more information:

NetBus can be downloaded from http://netbus.nu.


Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
hereby granted for the electronic redistribution of this Security Alert.
It is not to be edited in any way without express consent of the X-Force.
If you wish to reprint the whole or any part of this Alert Summary in any
other medium excluding electronic medium, please e-mail xforce@iss.net for

Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection, and response software that
protects the security and integrity of enterprise information systems.  By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations.  ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks, and over 35 governmental
agencies.  For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net..

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

[  End ISS Advisory  ]


CIAC wishes to acknowledge the contributions of Internet Security Systems, 
Inc. for the information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-bulletin 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
J-023: Cisco IOS Syslog Denial-of-Service Vulnerability
J-024: Windows NT Remote Explorer
J-025: W97M.Footprint Macro Virus Detected
J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix  Vulnerabilities ( at , inc  )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow

Version: 4.0 Business Edition


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key