Virus Profile: Back Orifice

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	10/15/1998
Date Added:	11/24/1998
Origin:	Pro-hacker Website
Length:	124,928
Type:	Trojan
Subtype:	Remote Access
DAT Required:	4010
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Various symptoms including unexplained loss of mouse control, opening/closing of CD-Rom tray, keyboard input, dialogue message boxes popping up with strange query or messages, existence of file " .exe" as mentioned above.

Methods of Infection

Running the server component either accidentally or on purpose will directly install the trojan to the local system whereby the next Windows restart will load it into memory.

Aliases

Backdoor-N, Netspy, Orifice, Orifice.cli, Orifice.srv, Orifice.svr

View Virus Characteristics

Virus Characteristics

This is a software for remote computer control. It consists of two components - a server program and a client program. There are two types of client - command line driven and GUI. When the server program is run on a Windows95/98 machine, it copies itself to the local disk under the name " .exe" (first character is space, size is 124,928 bytes) and installs a reference to that file in the registry so that it is run every time the machine restarts. The program hides its own presence - it is not visible as a task although it is running permanently in the background awaiting for commands comming from the client through the network. After the server program is installed on a computer, the person controlling the client has remote control over the machine running the server program. This requires both machines to be connected to the Internet. This control includes recording the keystrokes pressed, restarting or hanging the machine, running, accessing, modifying and transferring files. It can also transmit screenshots. The Orifice software is functionally very similar to Netbus software of the same kind. There are also many commercial programs for remote control (like Carbon Copy, SMS, PC-Anywhere) and the only substantial difference is that Orifice software tries to conceal its presence when active. The software also has a program to reconfigure the server application. Filename, TCP/IP port, registry key, password for client-server data exchange and additional DLL can be configured.

Back To Overview View Removal Instructions

Use current engine and DAT files for detection and removal.

Removal requires rebooting to MS-DOS mode to first remove the file from Windows memory before deleting the files detected as the virus, trojan or Internet worm.

Use the command line scanner to detect and remove or delete manually.

If applicable, remove references in WIN.INI and/or SYSTEM.INI and/or registry for final clean-up measures.