Does Your Computer Have B.O.?
This question was answered on June 16, 1999. Much of the information contained herein may have changed since posting.
One of the most dangerous programs to ever be written has been unleashed via the Internet Back Orifice (a.k.a B.O.), a Trojan horse program that allows a remote user to access your computer via TCP/IP (the Internet), was made available by a group of hackers that calls themselves "The Cult of the Dead Cow" This group claims over 250,000 downloads of this rogue program since August 3rd of 1998 The real concern with this program is the ease with which an anonymous individual can access your files, passwords or whatever they want, while you are connected to the Internet
B.O affects computers running Windows 95 & Windows 98 and the group claims they are working on a version that will work on Windows NT based systems!
The program consists of two major components, the server program (infects your computer) and the client program (allows undetected access to an infected system) The server side can be hidden in another program or within a web page, as well as other methods that would elude the victim Once the program has been run, it can not be detected by the user unless an up to date anti-virus program is run The current versions of McAfee VirusScan and Norton Anti-Virus can detect (yet, NOT remove) this Trojan Horse (A malicious, security-breaking program that is disguised as something benign, such as a directory lister, archive, game, or even a program that claims to protect your computer!) This Trojan Horse program is designed to create a "Back Door" to your computer so that a malicious person can roam around inside your computer undetected In order to remove the Trojan Horse, see below
In our tests, we were able to see passwords, files, screen images, as well as, launch programs, delete and copy files and even lock-up the infected computer The biggest concern that we have is with the number of infected computers that we have been able to detect, both locally and nationally The client program actually performs "sweeps" of "subnets" (large portions of Internet users) looking for infected users (like the random dialing of the computer in the movie "War Games") We have been able to find dozens of infected computers from just a handful of subnet sweeps
FOR A PROGRAM THAT HAS ONLY BEEN OUT A SHORT TIME, THE NUMBER OF INFECTED COMPUTERS IS ALARMING!
How can I tell if I have B.O.?
Relying completely on your Anti-Virus program is not a good idea, as the examples below will illustrate One of the easiest ways to detect an infected computer is by looking in your Windows/System folder for a file that has no file name and an extension of "exe" Right-click on the START button then on EXPLORE to locate the C:\WINDOWS\SYSTEM folder A more technical method of detecting B.O., for the advanced user is to look in your registry *****WARNING - DO NOT ATTEMPT ANY REGISTRY COMMANDS UNLESS YOU HAVE A GOOD WORKING KNOWLEDGE OF THE REGISTRY.***** The steps for removing the virus are as follows: Click on Start, then on Run and type REGEDIT in the box next to the word Open then click OK When the Regedit program opens, click on Edit, then Find In the Find what: box, type RunServices (no spaces) and make sure the Keys box is checked, then click on Find Next.
This should find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Look for the entry " .exe" in the Data field It is the default filename of the BO server program It is likely to be the one most often used, but the BO filename can be anything Also: usually there will NOT be a path (such as "c:\Program Files\...") Just a filename
To remove the program, clear the Data key by deleting the entry (right-click on the entries Name, then click on Delete).
Next close the Regedit Programand restart your computer When the system has re-booted, go the the C:\Windows\System folder and delete the ".exe" file IF YOU FIND THAT YOU HAVE THE BACK ORIFICE SIGNATURES, STAY OFF OF THE INTERNET UNTIL YOU HAVE DISINFECTED YOUR SYSTEM AND PROTECTED YOURSELF USING THE METHODS BELOW!
What can I use to protect my computer from B.O.?
ANTI-VIRUS PROGRAMS WILL NOT SEE THE B.O PROGRAM ONCE IT HAS INFECTED YOUR COMPUTER!!! BE SURE AND USE THE MANUAL METHOD OF DETECTION AND DELETION BEFORE INSTALLING ANY NEW ANTI-VIRUS PROGRAMS!!!
There are a number of things that you can do to prevent infection from this Trojan Horse program including:
- Installing an up to date Anti-Virus program such as MCAFEE VIRUSSCAN (www.mcafee.com) OR NORTON ANTI-VIRUS (www.norton.com) YOU CAN GET A FREE EVALUATION VERSION OF EITHER OF THESE PROGRAMS AT THEIR RESPECTIVE WEBSITES (DO NOT INSTALL BOTH AND BE SURE TO UNINSTALL ANY OTHER VIRUS PROGRAMS BEFORE INSTALLING EITHER OF THESE EVALUATION VERSIONS)
- Update your existing virus program with the latest version and be sure that the B.O virus is on their virus detection list that accompanies the program or their web site
- Do not open any e-mail attachement(s) from anyone that you do not know Attachments are files that are sent along with the message, not the message itself The Trojan Horse can easily be hidden in those "cutesy" little animations that are being passed around the Internet via e-mail attachments
- Don't download anything from a web site unless you know that the site is legitimate, and even then, make sure that your Anti-virus program checks the file before opening it
- Install a program such as "NOBO" http://web.cip.com.br/nobo/index_en.html)that will alert you when someone is trying to access your machine using B.O This program will also send the hacker a fake IP address, capture his IP address and send him a message telling him that you caught him and his IP address This is not an anti-virus program and will do nothing to protect you from contracting or getting rid of the program It is just a tool to tell you when someone is attempting to access your machine using B.O To use NOBO simply download it from the link above, (pay attention to where on your hard drive that you download it) then simply double click on NOBO.EXE to start monitoring the default B.O port A small icon (red square) will appear on your system tray (bottom right corner, next to your clock) You can double-click the icon to open the program If you activate this program every time, before connecting to the Internet, it will monitor your connection and prevent access to your system via the standard B.O method
About the author
Posted by Ken Colburn of Data Doctors on June 16, 1999