Back Orifice Check
What is Back Orifice?
BO was one of the first truly terrible trojan horse/backdoor/viruses to spread widely over the Internet. It infected machines over file and print sharing and via email. Once infected, BO acts as a keylogger, backdoor, zombie all in one.
What is BO’s weakness?
Back Orifice in general is a powerful and remarkable program. It is amazing because for such a small program, it can do so much harm and is so easy to use. However, it is still a Windows program. And that, is BO’s biggest weakness. As a Windows program, it still has to conform to Windows’ restrictions and conditions. In order to start automatically every time Windows starts, Windows conventions will have to be used. This makes it easy to find, if you know where to look.
How was BO analysed?
Using Novell’s snAppShot (a part of the ZENWorks package), we installed Back Orifice 1.2 and analysed the AXT file produced by snAppShot. It indicated the following:
- A registry key is created to run BO on Windows startup:
Here, one of the services started is the Back Orifice Program. Future versions of Back Orifice, or similar programs will probably have to be installed in such keys, in the SYSTEM.INI, WIN.INI, or other such startup files.
- A file, the BO executable, is copied to the system, usually the C:\WINDOWS\SYSTEM directory. This file is the same file as specified in the registry key above.
- Another file, C:\WINDOWS\SYSTEM\WINDLL.DLL is installed. This file does not seem to be part of any other software package and is created when BO is installed or started. It seems to exist regardless of the configured name of BO. It was noticed that if the WINDLL.DLL file is deleted, when the PC reboots, it will automatically be recreated.
How do you check for the presence of BO?
The surerest way you can check is by looking at the registry and making sure that the programs being started by those registry keys are legitimate programs or drivers. A quick and simple way is to use the BOCheck 1.2 (21K) program, available for free here. Other software is also available, but they generally cost money. BOCheck 1.2 looks for the existence of the C:\WINDOWS\SYSTEM\WINDLL.DLL file.
How do you remove BO?
Once you have detected BO in your system, follow the instructions below:
- First, click on the “Start” Button, choose “Run”
- Key in “regedit.exe” and press “Enter”
- In the Regedit window, press “Control-F”
- This brings up the Find dialog box, key in “RunServices” and press “Enter”
- When the find has stopped, look on the right side of the screen. You should see two fields, a “Name” and a “Data” field.
- Write down the name of the program (located in the “Data” field) of the suspected BO registry entry and then click on it. Press the delete key to delete the registry key.
- Exit Regedit, and reboot your PC.
- When the PC has completed the reboot, you can use the Windows Explorer to delete the program in the C:\WINDOWS\SYSTEM directory written down in the steps above. You can then also delete the C:\WINDOWS\SYSTEM\WINDLL.DLL file.
WARNING! Inappropriate use of the Registry Editor can result in your PC being unable to boot Windows 95, or have serious problems running software. If in doubt, check with a qualified and experienced IT person.
This should remove BO from your PC entirely.