The Back Orifice "Backdoor" Program

YOUR security is at risk.

(Last updated 4 November 1999)

First written on 17 Aug, these pages have grown and changed daily as events unfold.

Back Orifice

"Back Orifice" is a hacker's dream, and a Netizen's nightmare.

Back Orifice is not a virus. It is in essence a remote administration tool.

It gives "system admin" type privileges to a remote user by way of the computer's Internet link.

What does this mean? It means that if Back Orifice is running in your computer, a remote operator anywhere on the global Internet can gain access and do almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence.

Back Orifice can arrive disguised as a component of practically any software installation. It can be attached to other files or programs or run on its own. It must be run, by itself or by another application. It then installs itself in seconds, typically erases the original, then may run a specified program. To the user installing an "infected" application, it will appear that all went normally. But from that moment forward, your system offers easy and comprehensive access anytime it is connected to the Internet.

In itself, Back Orifice does not cause any malfunction. It runs quite invisibly to the user, consumes insignificant memory and resources, and does little besides simply open up access to standard Windows 95 functions.

Win95/98 is in essence a networking operating system. It's designed to give access and control to the system administrator on any network to which it is connected. Back Orifice simply implements standard system admin functions and includes a few handy tools for the remote operator's convenience. But it does so very quietly, almost undetectably.

I've created a handy page with the basics about Back Orifice in a Q&A format, with links to helpful hints, more in-depth information and step-by step instructions for detection and removal.

Read on for a broad summary of Back Orifice and its implications, and follow my links, on and off this site, for a comprehensive view of this rather surprising tool.

A little knowledge can render you virtually free of any threat, and may also nudge you down a road of greater utilization and control of your own computer and its Internet connections.


Back Orifice Q&A
Detecting Back Orifice
More on Finding BO
Removing Back Orifice

New!PCHelp's Network Tracer!
Latest Review: Lockdown2000 v2.5.4
The PrettyPark Worm
New Tool Foils Trojans!
Sockets de Troie Author Repents?
Lockdown's Paris Threatens Lawsuit!
Who Runs Lockdown?
PCHelp Tests Lockdown!
Control Your File Sharing
What's Going On With McAfee?
PCHelp Got Hacked!
Virus Alert!
Is BO Legal?
BO Client's Secret Transmissions?

On Anonymity

Finally! A Back Orifice
Detector/Remover Program
Chris Benson's

Back Orifice Eliminator
Works JUST FINE NOW. Bardon Has upgraded BOE and it is now very effective.

Other Anti-BO Tools:
(These are now numerous and soon to be more extensively tested and reviewed)

Does fine with ordinary installs, fails with clever installations.

Toilet Paper
Odd interface, requires reboot to remove the BO server.


Back Orifice was publicly released by the Cult of the Dead Cow (cDc) on 3 August 1998. It has reportedly been downloaded by well over 100,000 people since then.

Its implications are staggering, viewed as a whole. For the first time ever, a relatively simple tool for unauthorized computer intrusion is available to unprecedented numbers of people and is being "implemented" on a mass scale. People are sending the program to one another all over the net, in various guises, wittingly and unwittingly.

I have personally obtained the "Back Orifice" (BO) suite, learned its functions, and proceeded to use it freely for the past three days (as of 17 Aug). Along with a few easily-obtained utilities, I have found every function of Back Orifice works almost flawlessly. I gained experience with it on my own systems, then went "hunting" on the Net. I performed random "sweeps" of hundreds of thousands of Net addresses and easily located dozens of Back Orifice installations in computers all over the world. In each and every case, I had full, unfettered access to the affected system.

Because available methods show me only those "Orifices" without a password, it's difficult to gauge the magnitude of the BO problem. It's trivial to set up BO with password protection, and undoubtedly most of the mischief-makers who're using it are doing so. Based on my sampling, and the assumption that most BOs use passwords, I believe it to be installed in tens of thousands of Win95/98 PCs worldwide.

The number of Orifices is surely growing at a daily accelerating rate. BO will proliferate rapidly until public awareness is raised and software safeguards are widely used. The program can be expected to evolve, and Windows isn't changing anytime soon. So vigilance against BO and tools like it will remain necessary for the foreseeable future.

My guess is, the "Back Orifice" issue is yet to reach anywhere near its full proportions. It got some coverage when cDc released it, but so far (17 Aug) the media hasn't yet done it justice. Online news services have published stories (links on right), and I'm told CNN carried some TV coverage. Expect to see much more media coverage in the near future.


At present I know of no antivirus tools which reliably prevent the installation of Back Orifice or reliably remove it once installed. BODetect is the most effective anti-BO app I've yet seen. BOdetect kills it in operation (so you're safe each time it's run), and can run continuously to provide a high degree of security. Thus far, Symantec's Norton AntiVirus does detect Back Orifice, but does not remove it when running; as does Mcafee (but reportedly less reliably). No doubt updates will appear on websites supporting the various antivirus/security tools. Here's Norton's Security Alerts page and their helpful Security Center. Also see links.

A combination of BODetect and Norton AntiVirus, both kept updated and both run continuously, should give a high degree of protection against BO as well as some against other similar trojans.

But there is no such thing as foolproof commercial software products for this purpose. Your best protection against BO and its ilk is to know a few basics, know the risks, and keep yourself well-informed.

First and foremost, installing or running just any program that's been sent to you is risky. If you receive a program from an unknown individual, or one which is passed on to you by an acquaintance who himself may have accepted it incautiously, realize that running it could cause damage. Back Orifice is only one of the potential consequences. I'm not talking about documents or images, nor e-mails; but programs. Games, utilities, applications, etc.

Detection and Removal

I have compiled a rather large amount of technical info and step-by-step instructions which allow detection and removal of BO. More will follow, including reviews of various countermeasures, some of which may even make it possible to catch an intruder in the act as they use BO or similar to access a system. See this page and watch for the "Countermeasures" link to appear above.


Disabling and/or removing Back Orifice from your own system is relatively easy once you know it's there. It does require just a bit of basic knowledge average users may not possess, but simple instructions can suffice.

All the necessary technical facts are available at the Internet Security Systems website in their Security Alert Advisory on Back Orifice at (By the way, these guys deserve a grateful acknowledgement for being first online with excellent analysis, which made it possible for me to work safely with BO.) However, some may find this a bit too technical. For this reason, I have worked out some simple step-by-step instructions for removing a typical BO. To find those instructions, go here.

In my 3 days of exploration with BO, I found I could not in conscience leave "orificed" people in their predicament. I rescued about a dozen very startled people from their unsuspected plight. Imagine their surprise as this message appeared on their console:

Hello!  I should not have access to your computer...

Most of us keep information of one kind or another in our PCs which is of a private, privileged or financially sensitive nature. With Back Orifice installed, absolutely none of that information is safe from loss and/or prying eyes.

It's a rather shocking revelation, and a scary thing to realize someone else is "in" your computer.

It didn't always work, but I was usually able to establish a dialogue with the victim. In two instances, where the desperate users were incapable of doing it themselves, I have removed BO from the victim's system for them from my own console using BO's own tools. Usually though I have simply informed them of links to information about BO and where necessary, walked them through the removal process.

Needless to say, I've earned some thanks for alerting these folks, and made a new friends in places like Israel, Australia, and New Zealand as well as a couple here in the US.

NOTE: I strongly do NOT recommend that anyone now do as I did then. It is no longer safe to perform broad sweeps of BO's default port. People monitor that port and will complain to your ISP, who may consider it necessary to cancel your account for their own protection.

In my efforts to gauge the problem -- which was my actual purpose -- I readily detected perhaps a hundred systems online with BO, and could easily have found hundreds more. There was not enough time in the day to help them all. So I ceased to try.

Quite aside from time constraints, my ISP has voiced concerns about the legal ramifications. And since I can use my time to do more for more people simply by publishing this page I don't see any point in entering anyone's system uninvited.

However, persons with a severe problem or persistent recurrence of BO may wish to request my help to track down their Orifice. You're welcome to email me. I just ask that you first try BODetect, perhaps other tools as they come online, and use the information on this site to do what you can on your own.

Warning! "Anti-Back Orifice" BOSniffer is bogus! It's BO in disguise!

BOPlug looks for BO's telltale WINDLL.DLL file. On my machines, it halts prematurely and fails to remove any BO.

Back OrifiX
In French! This is a huge 1.5M download. It finds default and some configured BOs. It can scan files, a step in the right direction, but it can't scan subdirs so it's almost useless.

Links: -- Internet Security Systems has "cracked" Back Orifice and reveals the technical facts. If you're a moderately experienced user and know how to edit the Windows Registry, this is the essential information on removal of BO. -- The originator of Back Orifice, the Cult of the Dead Cow is a well-known hacker group, reportedly the oldest such group in existence. They offer the full "suite" of Back Orifice for download at their site. Technically skilled persons will find it fascinating. Believe it or not, Back Orifice has wonderful potential as a legitimate tool.
ABCNEWS.COM story: Windows Faces Hack Attack. “This is a very impressive piece of software. It could do a lot of damage.” — Bruce Scheiner, computer security expert
C|Net NEWS.COM story: Windows "back door" raises flags. Microsoft, apparently more concerned about public opinion than its customers' security, downplays the threat posed by BO to ordinary Netizens.
C|Net NEWS.COM story: Programmers protest with code. cDc claims its purpose in creating and releasing BO is to raise awareness about security and force Microsoft to make a better product for consumers: "Do you sweep these kinds of things under the rug, or get the problem out there and shed light on it so you can start solving it?"
ZDNN 11 Aug 98: Is 'Back Orifice' a threat -- or an educational tool? ZDNN's Robert Lemos notes a key fact -- it's not merely the nature of BO but its sheer numbers of users and victims that defines its magnitude. "A virulent hack in the hands of a tens of thousands or even hundreds of thousands of users seems a significant threat." Says Sir Dystic, BO's creator, "By releasing Back Orifice to the public, every 14-year-old that wants to be a hacker will try it."
Wired News story: Back Orifice a Pain in the ...? "This application appears to be similar to a mix of pcAnywhere and Citrix Winframe -- it allows remote control and viewing of remote computers. "However, unlike those applications, the user may be unaware that it is running ... this application can run invisibly." - Jonathon Orbeton, Network security consultant
(Same story:
news/wired/19980729/ )
Wired News story: Microsoft Discounts Threat. The Back Orifice program is not as threatening as billed, says Microsoft.
Wired News story: ISS Chimes In on Back Orifice. "Back Orifice provides an easy method for intruders to install a back door on a compromised machine," says the alert from the security software and consulting company.
Wired News story: Back Orifice Goes Forth. "As ISPs begin to hear complaints from clients, independent security groups are scrambling to find ways to detect and remove the Back Orifice hacker program from infected machines. But Microsoft remains remarkably reticent about the threat."
Cu.Digest.10.41.Sun.26.J.html#File 6
The cDc's news release of 24 July, quoted in full in The Computer Underground Digest. The cDc release points out the positives: "The two main legitimate purposes for BO are, remote tech support aid and employee monitoring and administering [of a Windows network]." But the less scrupulous possibilities are very well recognized. "... Microsoft has leveraged itself into a position where anyone who wants to can download an app [or write their own!] and learn a few tricks and make serious shit happen."

Slashdot, a news-for-nerds E-zine, has followed the BO story:


You are visitor number

since 26 Sept 98
FastCounter courtesy of LinkExchange

My service provider is in no way responsible for the content of this site. NWI, as per its terms of service, neither endorses nor controls any material I may publish here.