Finding Your Back Orifice
These instructions will unearth most Orifices. Not all!
For more detailed and effective (but more technical) methods, go here.
If you have no idea what the Registry is, go down this page to For the Clueless.
If you're already familiar with the Registry Editor, simply open REGEDIT and look for the values under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
If it looks like this:
then you're Orifice-free.
In its present incarnation (version 1.2), Back Orifice always puts something in this Registry key.
Most home PCs will have nothing under this entry other than what you see here. However, McAfee's Virus Shield as one example, may have an entry as may other valid programs.
But IF YOU DO HAVE BO, SOMETHING will be entered as a value under this key. Chances are maybe 50/50 it will look like this:
Note the filename. This name,
" .exe" (space-dot-exe) is the default
filename of the BO server.
It is likely to be the one most often used. But the BO filename can
be anything.
Also: usually here will NOT be a path (such as
"c:\Program Files\..."). Just a filename.
If there is anything there at all, anything other than "(value not set)," -- note it will NOT have quotes around it -- then you may possibly be hosting Back Orifice. It's time to find out for sure.
Bear in mind: multiple copies of BO can coexist. There may be more than one.
Before we actually change the Registry, let's make sure we know what we're doing. Whatever file name (or names) you found in the Registry, look for those files in the C:\WINDOWS\SYSTEM directory or in the directory specified. For this, use the Windows Explorer.
See if the file looks like this:
Note the icon next to the
file... there isn't one! The BO server icon is transparent - a
blank.
The filename might be anything at all. If it
ends in .exe or has no extension, the icon will be blank. But it
can be named literally anything, and if it has a recognized
extension, Windows will assign it an appropriate icon.
NOTE: if you don't have
Explorer set up to show file extensions, it may look
like this:
(Notice the missing 3-letter extensions at the end of the files?)
But the blank entry is still a giveaway, as is the file size: it will always be 122KB or larger.
If this is what you found, YOU HAVE B.O.!
Don't bother trying to delete the file. Windows won't let you do it, because it is in use by the system. In fact, if you found a file you thought might be Back Orifice and Windows allowed you to delete it ... it quite possibly wasn't BO, and it certainly wasn't the copy of BO that we need to remove.
I have discovered that it IS POSSIBLE to configure BO to run from a directory OTHER THAN the Windows\System directory! If the filename config (which appears in the key value) contains an invalid filename, or a pathname (valid or not), BO will not delete itself and often it will not place a copy of itself in the System directory. The ISS alert fails to mention this important fact.
Also -- and this is where it can get very difficult -- BO can be set up with an entry in some other part of the Registry, or it may be run by other means, from any drive or directory. If you delete a suspicious Registry entry and it reappears each time the system is rebooted, this is what's going on.
To remove BO if you've found it, follow the links and instructions here.
These instructions will find a majority of Orifices. But as noted above, my experience has demonstrated it can be hidden other ways. This page details some more involved methods for detecting BO and other similar backdoors. It can get complex, and unfortunately may require some expertise; but I am certain these manual methods, used well, can track down BO 100% of the time.
If you have no idea what the Registry is, that's no surprise. Many Windows users don't. Editing the Registry isn't generally advisable for the casual user (it's a great way to screw up your Windows setup). But the handy REGEDIT program hides (usually unknown and unused) in every Windows machine.
Click on Start... Run... 
... and the Run dialog box will appear.
Type "regedit" in the "Open:" entry space, as shown:
Now click the "OK" button or hit Enter. The Registry Editor will start. Touch nothing.
Now hit the F3 key. That's above the "4" key on most keyboards. The Find dialog will appear.
In the "Find what:" entry space, type "RunServices" and then select the "Keys" and "Match whole string only" checkboxes. It should look as above.
Now hit the "Find Next" button. The Registry Editor will require a few moments to locate the exact item you need to see, and it will then display it.
Now go to the top of this page and continue as indicated there.
Back to
the Basics
PCHelp Home
BO Home
 |
|