Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: bodefeat.txt

Definitively defeat Back Orifice




       __    ______ _____ __ __  __    _____  ____  ____    ___  ___
      / /   / __  // ___// // / / /   / ___/ / __/ / __/   / _ \/ _ \
     / /__ / /_/ // /__ / _  / / /__ / ___/__\ \ __\ \     \_  /\_  /
    /____//_____//____//_/ \_\/____//____//____//____/      /_/  /_/

                                                          ...we fly high...

                                                       - Lord Anshar

                                  presents

             A very quick and easy guide to definitively defeat
              Back Orifice and other trojans from your system

                   written by Lord Anshar in september 99


Type of production: [ ] Patch - [ ] Serial - [ ] Keygen - [X] Other
Cracker: none
Coder: Lord Anshar
Supplier: none


-=Intro=-
Back Orifice, just like other programs that can be found on the net, is a
trojan horse, that is a remote administration program which is composed by two
parts: a server and a client.
Usage is very simple: the server (in most of cases called SERVER.EXE) has to
be executed on the "victim"'s computer at least once, in this way a sort of
hole in the TCP/IP protocol, which is the one used by PCs to connect and
communicate via internet, is created which allows to (when the victim is
(online) "enter" in the "broken" PC (or "infected) to execute varius commands,
from an innocent CD-ROM opening to a more harmful hard disk's inspection or
formatting.
To infiltrate is enough to know the IP of the infected computer and to use
the correct client for the server that has been infected with.
There are some programs such as antiBackOrifice which keep watching the hole
(in slang "backdoor") to avoid infiltrations but those don't avoid that the
backdoor is still there and always open (so potentially at risk for anyone
who's more than a lamer).
-=How to=-
To completely remove the infection there are many programs which can be
downloaded from the net but to avoid download time's wasting there's a very
easy method and much more quick and cheaper (for what concern the phone bill).
Using REGEDIT.
Regedit is nothing else than a Windows program (is called REGEDIT.EXE and
it's located in Windows directory) to be used to modify the configuration
registry manually.
Indeed what a server does to be always running is nothing else than copy
itself to your Windows directory and modify your configuration registry in
a way to be loaded automatically at every Windows startup, in practice the
same as copying a program to the "Startup" folder of the Start menu with the
only difference that in this way it's invisible to a common user.
Most of the servers indeed (like the Back Orifice's or Wincrash's ones) once
executed care about deleting the REGEDIT.EXE file to make their removal
harder (how hard... it's enough to take the Windows CD and copy the file back
the Windows directory, it's located in the CAB 40 file).
Finally this is what to be done to definitively remove Back Orifice:

1. Copy back the REGEDIT.EXE file from the Windows CD (CAB 40) to the Windows
   directory if needed

2. Choose the "Run" command from the Start menu

3. Enter "regedit" (without marks) and press enter

4. Now the configuration registry is shown.
   In the left half of the screen there are 6 folders which represent the
   registry keys, the one to be targeted is named HKEY_LOCAL_MACHINE, opening
   it other folders will appear and the next one to open is Software.
   The next one to open is Microsoft then Windows and CurrentVersion.
   Finally the last one to open is Run and once opened in the right half of
   the screen many keys will appear (the number depends by the programs
   installed on the system but there are some which are always the same such
   as SystemTray or LoadPowerProfile) divided in two fields: Name and Data
   (may vary in other operating system's languages)(you can read it at the
   top). Among these keys there will be one which has in the Data field
   (don't care what's in the Name field) something like
   "C:\WINDOWS\server.exe" or "C:\WINDOWS\boserve.exe" (with Back Orifice the
   second option is the most probable).
   To definitively defeat Back Orifice the only thing to do is to eliminate
   that row (just highlight it and press Delete), update the registry with F5
   and quit Regedit

5. Rebooting the system there will be no traces of Back Orifice anymore


For any question feel free to write at: lockless@email.com
Visit our website at: http://lockless.tsx.org
                      http://come.to/lockless
                      http://fly.to/lockless


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH