Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: anti-bo.txt

Detecting and Removing Back Orifice from your system




ANTI-BO.txt version 0.1.2

* Skip to there for quick instructions

 This file is intended to:

 1) Familiarize the populace with the trojan: Back Orifice
 2) Enable the reader to recognize if they are infected
 3) Show how to identify the pertinent files
 4) Show how to delete them
 5) Explain the effects BO has on your system

00 Table of Contents

   What is Back Orifice?...........................................01
   How does Back Orifice work?.....................................02
   Finding out if you are infected.................................03*
   Finding the Back Orifice files..................................04*
   Deleting the files..............................................05*

01 What is Back Orifice?

   Back Orifice was published by the Cult of the Dead Cow for the "benign"
   purpose of making a simple and efficient client/server relationship
   between two computers.

   Of course, we all know it's just another trojan, but with little to no
   knowledge, the average newbie hacker can take over your entire system
   and make it do their bidding.

02 How does Back Orifice work?

   Imagine if you will.  A person, much like you or me, goes to the CDC
   website and downloads bo120.zip.  They unzip it, and read the readme.

   They simply rename boserve.exe (the trojan) to an innocent sounding name.
   Then they run BOCONFIG.  This gives them the following options:

    * When the trojan is run, what name to hide itself under
    * What port to open
    * What registry name to us
    * An encryption password
    * Plugin to run
    * File to attach

   We really only need to be concerned about the first two, but I will dis-
   cuss the latter in a moment.

   Once boserve.exe (or innocent sounding name) is configured (btw, the
   name it can hide itself under can be any extension, so don't be looking
   for exe, com, dll, and vxd only) the person will either start sending it
   to people just like that, or they'll take apart legitimate zip files and
   add it to the setup routine.

   When you (the victim) receive the file, and are tricked into running it,
   here's what happens.

    1) Boserve looks at it's configuration, and extracts the full trojan
       under the name it's been told to use, and places it in
       C:\WINDOWS\SYSTEM (in this version, that's the default directory)
    2) Edits your registry and gives itself a valid name.
    3) Loads itself into memory and makes itself a lowend level program.
       (Loaded on startup, but not shown in Task Manager)
    4) Opens a listening port on your internet connection

   Once this is done, everytime you are on the net, you are a potential
   target.  DO NOT think that if you are not on irc you can't be hit.
   BO has a nifty addition which scans entire subnets, so if the "elite
   hacker" types in the first 3 sections of an ip, he can scan all 255
   people using it.

03 -- Finding out if your infected

   If you skipped to this section, you are in a hurry.

   1) Open a dos prompt
   2) type: NETSTAT -a -n

      This will list all your connections and open ports.
      If you see an open UDP connection under the following criteria:

      1) The port of the UDP is 31337, 666, 411 (can be others, most common)
      or
      2) The ip of the UDP is 0.0.0.0

      You are infected.

      If you cannot access netstat.exe, arp.exe, or other network identifying
      programs you are probably infected and the "hacker" has melted them.

      If you cannot use netstat, open FIND in Windows 95/98 and look for
      windll.dll (should be in C:\WINDOWS\SYSTEM

      Note that not all UDP connections with 0.0.0.0 mean you are infected,
      try to find someone in #backorifice who will scan you to make sure.
                             (Undernet)

04 -- Identifying the files that are ruining your life.

   There are several ways, the safest is to download anti-gen or something,
   but in all likelyhood, downloading a helper while being attacked on the
   net isn't the brightest thing in the world.

   My main two methods:

   1) Search for the file windll.dll in C:\WINDOWS\SYSTEM, if you find it,
      use method two.

   2) Open FIND again, and set the directory for C:\WINDOWS\SYSTEM
      Go to Advanced, and put: bofile  in the search for text box.

   3) Open a dos prompt
      Switch to C:\WINDOWS\SYSTEM
       (CD SYSTEM)
      Type: DIR /OS /P and go down until you reach the sizes that are 124k

      Open the files and if you see a part that looks like this:


I/O control operation- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data

      Then that file is one of the ones that need to be deleted.
      (Note that the above is included in many legitimate VC++ applications,
      so only delete the ones that are 123-125k)

05 -- Deleting the $&@*#itch BO files

  Most likely you cannot delete the files if you are running Windows, since
  that would be an access violation to kill a file in use.

  Restart in MS-DOS and blow away the files you've indentified.

  For the ms-dos illiterate, type del /? for deletion instruction

  WINDLL.DLL is a Back Orifice Library, delete it with prejudice.

  Registry:  Open your registry data by Start:Run  and the file name is
             regedit

  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
  Use your own discretion when deleting the values, please note that it is
  not actually necessary to delete them after deleting BO.  I urge you to
  use a professional program.

 Afterword:

   This is the first version of Anti-BO.txt

  I'd like to thank Vampress, for inspiring me to write this.  She constantly
  sends BO to IRC newbies and here's her static IP:

  168.95.4.10  (Vampress/S|NBAUD)

  Thanks go to beerman and sk8masta, I got more information from helping them
  rid themselves of BO than anywhere else.

  If you have further questions about BO and it's effects, I can usually
  be found on Undernet, under the name: Xenos, Xenocide, Xenoscide

   9-22-98  Xenoscide    daemus@digicron.com
   Last Updates: 9-21-98
                 9-20-98


 Legal Information:

    This text file is not copyrighted.  It is my wish that it be freely
   distributed as fast and as far as possible.  As for copying and trying
   to the credit; if you are that low of a human being go for it.  You'll
   make yourself seem stupid and ignorant when people start wondering why
   my version was out first, but that is your problem. =)
    If you require any help, or have further questions: email me at
   daemus@digicron.com
    I can usually be found in #backorifice on Undernet (bo removal channel)
    People to trust: El-Jai, VVatchdog, and nuclei (make sure they are from
    #backorifice, heh)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH