Home | Spyware List | Search Spyware | Bookmark | Link to us
spyware removal instructions
> Spyware Encyclopedia Page 10 > Back Orifice

Back Orifice removal

Spyware Back Orifice Information
Name: Back Orifice
Category: RAT
Date: 2003-12-31
Coded in: C++
Dangerous: Yes
Back Orifice is RAT - spyware.
You should remove it from your system as soon as possible.
Back Orifice description by publisher:
which allows the client software to watch, administer, & perform other network & multimedia actions on the machine running the server. To communicate with the server, either the text based or gui client made to be run on any MS Windows machine. To install, the server the server simply needs to be launched. When the server executable is run, it installs itself & then deletes itself. This is useful for network enviroments where the server made to be installed on a machine simply by copying the server executable into the Startup directory, where it´ll be installed, then removed. Once the server is installed on a machine, it´ll be started every time the machine boots. To upgrade a running copy of Back Orifice remotely, simply upload the new version of the server to the remote host, & use the Process spawn command to execute it. When run, the server will automatically kill any applications running as the file it intends to install itself as, install itself over the old version, run itself from its installed position, & delete the updated exe you just ran. Before installation, several aspects of the server made to be configured. The filename that Back Orifice installs itself as, the port the server listens on, & the password used for encryption can all be configured using the boconf.exe tool. If the server isn´t configured, it defaults to listening on port 31337, using no password for encryption (packets are still encrypted), & installing itself as " .exe" (space dot exe). The client communicates to the server through encrypted UDP packets. For successful communication, the client needs to send to the same port the server is listening on, & the client password must match the encryption password server was configured with. The port the client forwards its packets from made to be define using the -p option with both the gui & text clients. If packets are being filtered or a firewall is in place, it may be necessary to send from a specific port that will not be filtered or blocked. Since UDP communication is connectionless, the packets might be blocked either on their way to the server or the return packets might be blocked on their way back to the client. Actions are performed on the server by sending commands from the client to a specific ip address. If the server machine isn´t on a static address, it made to be located by using the sweep or sweeplist commands from the text client, or from the gui client using the "Ping..." dialog or by putting a target ip of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the client will look in the same directory as subnet list & will display the 1st line of the 1st file it finds with the filename of the subnet. The commands currently implemented in Back Orifice are listed below. Some of the command names differ between the gui & text clients, but the syntax is the same for almost all commands. More data for any of the commands made to be displayed in the text client by typing ´help command´. The gui sets the label of the two paramater fields to a description of the arguments each command accepts when that command is selected from the ´Command´ list. If a piece of required data was not supplied with the command, the error ´Missing information´ will be returned by the server. The functions of this trojan are: Spawn a text based program on a tcp port. Stops an program from listening for connections. Lists the programs currently listening for connections. Creates a directory. Lists any file & directory. You must specify a wildcard if you want more than one file to be listed. Removes a directory. Creates an export on the server. Deletes an export. Lists current shared resourses (name, drive, access, password). Copys a file. Deletes a file. Searches a directory tree for any file that match a wildcard specification. Compresses a file. Decompresses a file. Views the contents of a text file. Disables the http server. Enables the http server. Logs typed-in key sequences on the server machine to a text file. Ends keyboard logging. To end keyboard logging from the text client, use ´keylog stop´. Captures video & audio (if available) from a video input device to an avi file. Captures a frame of video from a video input device to a bitmap file. Captures an picture of the server machine´s screen to a bitmap file. Lists video input devices. Plays a wav file on the server machine. Lists current incomming & outgoing network connections. Disconnects the server machine from a network resource. Connects the server machine to a network resource. Views all network interfaces, domains, servers, & exports visable from the server machine. Pings the host machine. Returns the machine name & the BO version number. Executes a Back Orifice plugin. Tells a specific plugin to shut down. Lists active plugins or the return value of a plugin that has exited. Terminates a process. Lists running processes. Runs a application. Otherwise it´ll be launched hidden or detached. Redirects incomming tcp connections or udp packets to another ip address. Stops a port redirection. Lists active port redirections. Creates a key in the registry. Deletes a key from the registry. Deletes a value from the registy. Lists the sub keys of a registry key. Lists the values of a registry key. Sets a value for a registry key. Resolves the ip address of a machine name relative to the server machine. Creates a dialog box on the server machine with the supplied text & an ´ok´ button. Displays system data for the server machine. Locks up the server machine. Displays cached passwords for the current person & the screen saver password. Shuts down the server machine & reboots it. Connects the server machine & saves any information recieved from that connection to the specified file. Connects the server machine & forwards the contents of the specified file, then disconnects.
This RAT is also known as:
Back_Orifice.2000 trojan - named by Eset.
Backdoor.BO.a - named by s.
Backdoor.BO.a2.
Backdoor.BO.a2 - named by Kaspersky.
Backdoor.BO2K.11.a - named by Kaspersky.
Backdoor.BO2.13.d - named by a.
Bckdoor.BO2K.b.
Backdoor.BO2K.cfg.
Backdoor.BO2K.client.
Backdoor.BO2K.config - named by Kaspersky.
Backdoor.BO2.plugin.Hijack - named by a.
Backdoor.BO2K.server - named by Kaspersky.
Backdoor.BO2K.workspace - named by Kaspersky.
Backdoor/BO2K!Server - named by Computer Associates.
Backdoor/BO2K.11.Server - named by Computer Associates.
BackOrifice - named by o.
Bck/BO2K.Srv.A - named by Panda.
BO - named by a.
BO2K/Config.srv - named by Panda.
BO2K/Workspace - named by Panda.
Orifice2K - named by McAfee.
security risk or a "backdoor" program - named by F-Prot.
Trojan - named by -.
W32/Bo2K.139264 - named by F-Prot.
Win32.BackOrifice2000.10 - named by Computer Associates.
Win32.BO2K.server.11 - named by Computer Associates.
Win32/BO.C trojan - named by Eset.
Win32/BO2K.11 trojan - named by Eset.
Win32/BO2K.Config trojan - named by Eset.
Win32/BO2K.Workspace trojan - named by Eset.

>> Delete Back Orifice automatically - Download Spyware Doctor

Bookmark Back Orifice page

 Previous Spyware: Remove Back Find.b trojan Next Spyware: Remove Back Orifice 1.20
© 2005-2008 www.spywaredb.com All rights reserved. webmaster@spywaredb.com