Everhart, Glenn
From:	James Strompolis [jimst@ENTERACT.COM]
Sent:	Wednesday, August 05, 1998 3:34 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	How to find and get rid rid of Back Orifice
Though not specific to NT security there has been much talk about Back Orifice
lately.  I've played around with it a bit and here is a way to find it and get
rid of it.

Default installation:
Installs a 122k - 123k file called " .exe" in c:\windows\system with a modified
date of 7/11/95.
Changes HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Default from
blank to " .exe".
Transmits data on UDP Port 31337 - it's in the readme

An attacker can modify these defaults to be anything they like but if you check
the registry entries under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices and find one you are
not familiar with (not the task scheduler, not a virus scanner, etc) that runs a
122k - 123k file (does not have to be an exe) from your c:\windows\system
folder, it might be worth investigating further.  The file could probably be
padded to be a different size or the code could be modified to mutate its size
to help hide it.  There was some speculation in some of the media reports that a
virus detection program might be able to detect the program in action.  Network
Associates McAfee Virus Scan did not set off any alarms.  Maybe another virus
scanner will view the program's actions as suspicious?

Unless there are hidden "features" (still letting it run behind a firewall
logging all traffic on the Back Orifice machine as a test to see if there is
more to it) it is just a useful remote admin tool in a semi-GUI box that can be
custom packaged to take advantage of existing Win9x security flaws.

Let me know if you've found more.

- James Strompolis
  Aleph Consultants, Inc.
  jimst@enteract.com