Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: fixbo2k.txt

How to remove Back Orifice 2000 (BO2K) from your system BKI:




BackOrifice2k_FIX.txt (Rev 1.0) 7/14/1999
* (Rev 1.1) 4/18/2000 - Addition of NT removals


This guide will describe how to remove the Back Orifice Backdoor
Version 2000 (also referred to as  BO 2k) from your system.
Brought to you by #hackfix @EFNet, written by Disturbed and Snowz.
NT removals provided by TrendMicro Inc.

==+==  Introduction  ==+==

BackOrifice 2k was designed to overcome one limitation of older
versions of BackOrifice (as well as most other trojans):
  To run under Windows NT, the OS used over 95/98 in
  businesses and corporations.

Where NT used to be almost untouchable, simply because no trojans would
run on it, now its as fair game as Windows 95/98 is.


BO 2k installs differently on 95/98 than it does on NT.
We have documented and tested the trojan on our 95 machine, however
at this time we don't have access to Windows NT to run tests there.

Below you will find removal information for 95/98, however the NT
section will be empty for a short time, as we need to purchase,
install, and setup Windows NT to run our tests and find how to remove
it.


==+==  Removing BO 2k from Windows  95 / 98  ==+==

BO2k is very easy to remove from a 95/98 based system.
Seeing as how the trojan was to be centered around NT, this is
understandable.

The information below is for the Default values bo2k uses, and
any/all can be changed.

The trojan copies itself to C:\windows\system\umgr32.exe

It installs itself in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The item listed will read:

umgr32 = 'c:\windows\system\umgr32.exe'



You can either manually follow the above path in regedit, or in regedit do a search for 'umgr32'

Delete this registry key and reboot the system.
After you reboot you can use Windows Explorer and delete the file itself.

You should then be disinfected!



==+==  Removing BO 2k from Windows  NT  ==+==


 
By default, the Server/Dropper portion of BO2K will edit the Windows
registry by adding the "UMGR32.EXE" key in the following path:

\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT \WINDOWS\CURRENT VERSION\RUN 

BO2K is equipped with stealth capabilities and will not show up in your
Windows Task Manager if configured to do so. The default setting will show
that the UMGR32 task is running as a Remote Administration Service. 

Note: Because the Server portion can be custom configured before being sent,
it is possible that the key value assigned may be changed to something else
depending on the file that will be dropped!

[REPAIR]
To clean BO2K from the infected system, you must use a Windows Registry
Editor such as REGEDIT.
1. Take note of all the detected files
2. Search for the keys containing any of the detected files on your list.
 By default this would be the "UMGR32.EXE" key and is located at:
 \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\UMGR32.EXE 
3. Delete the key entries in the registry
4. Shutdown to DOS and manually delete the listed files (by default
 UMGR32~1.EXE) in the \WINDOWS\SYSTEM directory and reboot your system
 afterwards
5. For Windows NT you must reboot first to remove the process in memory and
 then delete the UMGR32.EXE file from the \WINNT\SYSTEM32
6. Scan your system once more to make sure you have removed all BO2K
 variants installed on your system. If ever you will have to return to Step 1

[MANUAL DETECTION]
Note: This is only true if the BO2K Trojan was sent to you using the default
configuration!

1. Look in your \WINDOWS\SYSTEM (for Windows 95/98) or \WINNT\SYSTEM32 (for
 Windows NT) directory for an existing file called UMGR32.EXE
2. Alternatively you can also look at the Windows Task Manager for the
 UMGR32 service process
3. Follow the steps outlined in [REPAIR]
 
 
[CREDIT] 
The Windows NT information above was provided by
Trend Development and Support Center
Trend Micro, Incorporated
Makers of PcCillin AntiVirus software.
http://www.antivirus.com/




==+==  References and more information  ==+==

The home page of the creators of this document can be found at
  http://www.hackfix.org/

Or you can always visit the channel #hackfix on the EFNet irc network, 
the place where it all began.

Working together to make irc a better and safer place for everyone.....



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH