ANTI-BO.txt version 0.1.2 * Skip to there for quick instructions This file is intended to: 1) Familiarize the populace with the trojan: Back Orifice 2) Enable the reader to recognize if they are infected 3) Show how to identify the pertinent files 4) Show how to delete them 5) Explain the effects BO has on your system 00 Table of Contents What is Back Orifice?...........................................01 How does Back Orifice work?.....................................02 Finding out if you are infected.................................03* Finding the Back Orifice files..................................04* Deleting the files..............................................05* 01 What is Back Orifice? Back Orifice was published by the Cult of the Dead Cow for the "benign" purpose of making a simple and efficient client/server relationship between two computers. Of course, we all know it's just another trojan, but with little to no knowledge, the average newbie hacker can take over your entire system and make it do their bidding. 02 How does Back Orifice work? Imagine if you will. A person, much like you or me, goes to the CDC website and downloads bo120.zip. They unzip it, and read the readme. They simply rename boserve.exe (the trojan) to an innocent sounding name. Then they run BOCONFIG. This gives them the following options: * When the trojan is run, what name to hide itself under * What port to open * What registry name to us * An encryption password * Plugin to run * File to attach We really only need to be concerned about the first two, but I will dis- cuss the latter in a moment. Once boserve.exe (or innocent sounding name) is configured (btw, the name it can hide itself under can be any extension, so don't be looking for exe, com, dll, and vxd only) the person will either start sending it to people just like that, or they'll take apart legitimate zip files and add it to the setup routine. When you (the victim) receive the file, and are tricked into running it, here's what happens. 1) Boserve looks at it's configuration, and extracts the full trojan under the name it's been told to use, and places it in C:\WINDOWS\SYSTEM (in this version, that's the default directory) 2) Edits your registry and gives itself a valid name. 3) Loads itself into memory and makes itself a lowend level program. (Loaded on startup, but not shown in Task Manager) 4) Opens a listening port on your internet connection Once this is done, everytime you are on the net, you are a potential target. DO NOT think that if you are not on irc you can't be hit. BO has a nifty addition which scans entire subnets, so if the "elite hacker" types in the first 3 sections of an ip, he can scan all 255 people using it. 03 -- Finding out if your infected If you skipped to this section, you are in a hurry. 1) Open a dos prompt 2) type: NETSTAT -a -n This will list all your connections and open ports. If you see an open UDP connection under the following criteria: 1) The port of the UDP is 31337, 666, 411 (can be others, most common) or 2) The ip of the UDP is 0.0.0.0 You are infected. If you cannot access netstat.exe, arp.exe, or other network identifying programs you are probably infected and the "hacker" has melted them. If you cannot use netstat, open FIND in Windows 95/98 and look for windll.dll (should be in C:\WINDOWS\SYSTEM Note that not all UDP connections with 0.0.0.0 mean you are infected, try to find someone in #backorifice who will scan you to make sure. (Undernet) 04 -- Identifying the files that are ruining your life. There are several ways, the safest is to download anti-gen or something, but in all likelyhood, downloading a helper while being attacked on the net isn't the brightest thing in the world. My main two methods: 1) Search for the file windll.dll in C:\WINDOWS\SYSTEM, if you find it, use method two. 2) Open FIND again, and set the directory for C:\WINDOWS\SYSTEM Go to Advanced, and put: bofile in the search for text box. 3) Open a dos prompt Switch to C:\WINDOWS\SYSTEM (CD SYSTEM) Type: DIR /OS /P and go down until you reach the sizes that are 124k Open the files and if you see a part that looks like this: I/O control operation- not enough space for lowio initialization - not enough space for stdio initialization - pure virtual function call - not enough space for _onexit/atexit table - unable to open console device - unexpected heap error - unexpected multithread lock error - not enough space for thread data Then that file is one of the ones that need to be deleted. (Note that the above is included in many legitimate VC++ applications, so only delete the ones that are 123-125k) 05 -- Deleting the $&@*#itch BO files Most likely you cannot delete the files if you are running Windows, since that would be an access violation to kill a file in use. Restart in MS-DOS and blow away the files you've indentified. For the ms-dos illiterate, type del /? for deletion instruction WINDLL.DLL is a Back Orifice Library, delete it with prejudice. Registry: Open your registry data by Start:Run and the file name is regedit HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices Use your own discretion when deleting the values, please note that it is not actually necessary to delete them after deleting BO. I urge you to use a professional program. Afterword: This is the first version of Anti-BO.txt I'd like to thank Vampress, for inspiring me to write this. She constantly sends BO to IRC newbies and here's her static IP: 168.95.4.10 (Vampress/S|NBAUD) Thanks go to beerman and sk8masta, I got more information from helping them rid themselves of BO than anywhere else. If you have further questions about BO and it's effects, I can usually be found on Undernet, under the name: Xenos, Xenocide, Xenoscide 9-22-98 Xenoscide daemus@digicron.com Last Updates: 9-21-98 9-20-98 Legal Information: This text file is not copyrighted. It is my wish that it be freely distributed as fast and as far as possible. As for copying and trying to the credit; if you are that low of a human being go for it. You'll make yourself seem stupid and ignorant when people start wondering why my version was out first, but that is your problem. =) If you require any help, or have further questions: email me at daemus@digicron.com I can usually be found in #backorifice on Undernet (bo removal channel) People to trust: El-Jai, VVatchdog, and nuclei (make sure they are from #backorifice, heh)