Symantec Security Response
http://securityresponse.symantec.com

Information on Back Orifice and NetBus

Last Updated on: January 17, 2005 09:25:59 AM PST

This document provides a detailed technical explanation of the Back Orifice tool. There is another tool known as "NetBus" which has capabilities similar to Back Orifice. However, NetBus Pro version 2.1 has been redesigned such that it is not hidden by default. This allows the program to be used as a legitimate remote control tool, although unscrupulous users might still attempt to use it for illegitimate purposes. The latest virus definitions detect both Back Orifice and NetBus.
Back Orifice Overview
Back Orifice comprises two main pieces: a client application and a server application. The client application, running on one computer, can be used to monitor and control a second computer running the server application. The operations that the client application can perform on the target computer (the computer running the server application) include the following:

Execute any application on the target computer.
Log keystrokes from the target computer.
Restart the target computer.
Lockup the target computer.
View the contents of any file on the target computer.
Transfer files to and from the target computer.
Display the screen saver password of the current user of the target computer. The creators of Back Orifice also claim to be able to display "cached passwords" for the current user, but no other passwords were displayed during our analysis.

Server application installation
For Back Orifice to work, the server application must be installed on the target computer. This involves executing the server application on the target computer. The server application is a single executable file with a size of just over 122 KB. The application creates a copy of itself in the Windows\System folder and adds a value containing its file name to the Windows registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The specific registry value that points to the server application is configurable (see the following section on configuration). By doing so, the server application always starts whenever Windows starts, and thus is always active. The application will not appear in the Windows task list.

Target computer requirements
The target computer must be running either Windows 95 or Windows 98. The server application will not run on Windows NT. The target computer must have TCP/IP network capabilities.

Communication
The client application communicates with the server application using TCP with encrypted UDP packets.

Configuration of the server application
The server application can be configured with the following parameters:

Its installed file name
The communication port
The name of the value that it will add to the registry
A password for encrypting the client/server packets used for communication
A custom plug-in DLL to run with the server application

Default configuration
By default, if the server application has not been otherwise configured, the installed file name is " .exe" (a space followed by ".exe"), the communication port is 31337, the registry value name is empty (the default registry value entry is used), and no password is used (although the communication is still encrypted).

Removal Instructions
To remove Back Orifice, delete the Windll.dll file, and then remove the Windows registry value that runs Back Orifice when Windows starts.

To delete the Windll.dll file:

Click Start, point to Find, and click Files or Folders. The Find: All Files dialog box appears.
Make sure that "Look in" is pointing to C: or All hard drives, and that "Include subfolders" is checked.
In the "Named" box, type windll.dll and then click Find Now.
After the file is found, select it and press Delete.

To edit the registry:
This can be difficult as the Trojan is configured and named by the person using it to access your system. Once you find which value is loading the Trojan, delete that value.

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

Click Start, and click Run.
Type regedit in the Run box, and click OK. The Registry Editor appears.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, look for anything that should not be there--that is, a reference to a program that you do not think should be starting when Windows starts.

NOTE: Values in the \Run keys are only references that cause programs to start when Windows starts. Deleting them does not delete the actual program.
What you do next depends on what you find.
- If you are sure that the reference is to a program that you do not want to run at system startup, delete the value.
- If you are not sure, you can remark it out using the "rem" command. For instructions on how to do this, see the document How to temporarily remove string values from registry run keys when troubleshooting software conflicts.
Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Repeat steps 4 and 5.
Close the Registry Editor, and then restart the computer.

Is Back Orifice a Threat?
Potentially, the tool can be used by an unscrupulous user (the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, and so forth. However, the following are obstacles to the threat:

The server application must be installed on the target computer. This requires the user of the computer to either deliberately install this application or be tricked into doing so.
The attacker must know the IP address of the target computer. Although, the attacker can use the client application to perform a search through a range of IP addresses, this is not feasible if the attacker cannot narrow the range to a small subset because there are four billion possible IP addresses.
A firewall between the target computer and the attacker makes it virtually impossible for the attacker to communicate with the target computer. Most corporations have firewalls in place.
By following safe computing practices, such as not downloading or running applications from unknown sources, users can protect themselves from the potential threat.