About LmBO, a modified Back Orifice server BKI:

About LmBO, a modified Back Orifice server BKI:


Last updated : 1/20/1999

LmBo is a modified BackOrifice server, which is much smaller in size, and
able to hide better from Antivirus/Antitrojan software which
detects/removes BO.

The following changes have been made : (Items in italics are my comments)

   * Message Procedure has been disabled
     This never functioned correctly anyway, so makes the server smaller.
   * Complete Icon Make-over
     Icons of the server are now similar to the MSDOS prompt icons.
   * Enhanced Program Loading time
     I couldn't tell the difference.
   * 30% Code Optimization, means lesser File Size
     The server is now 76K, where it used to be over 100k
   * 100% Undetectable by any Back Orifice Remover out there!
     It hasn't been out too long so im sure this is true... for now.

The BackOrifice removal instructions now have information about LmBO as
well, however the exact changes are shown below.

The server still operates on port 31337 UDP. This can still be changed.
The main difference is the registry key, and server name.
Using regedit you will want to go to the key

and look for the item
WindowsTour ="Tour98.exe"

NOTE: On a true windows 98 system, there is a windows tour, and to the one
98 machine we have access to, we could not find any 'tour' items in the
registry, However we don't have enough information to determine if this
item is just added to the registry to confuse users, or if it truly
replaces real windows system files with itself.

The actual BackOrifice server can be found at
c:\windows\system\tour98.exe 76k

The same removal process is needed here as with previous versions of BO.
Fix registry; reboot computer; delete server file.

More information will be appended as it is verified.

