Virus Profile: Back Orifice 2000

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/13/1999
Date Added: 7/15/1999
Origin: Pro-hacker Website
Length: Variable
Type: Trojan
Subtype: Remote Access
DAT Required: 4038
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Windows 9x Systems:

By default, the file UMGR32~1.EXE (DOS 8.3 name) is written to the "c:\windows\system" folder. The registry is modified in the following location

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"UMGR32.EXE"="C:WINDOWS\SYSTEM\UMGR32.EXE e"

(note the actual file name does not have a .EXE extension, it is .EXE followed by 230 spaces and then the letter 'e')

Windows NT Systems:

By default, the file UMGR32~1.EXE (DOS 8.3 name) is written to the "c:\winnt\system32" folder. The registry is modified in the following location

HKLM\SYSTEM\ControlSet001\Services\Remote Administration Service
"Type"=00000110
"Start"=00000002
"ErrorControl"=00000000
"ImagePath"="C:\WINNT\System32 \UMGR32.EXE e"
"DisplayName"="Remote Administration Service"
"ObjectName"="LocalSystem"

HKLM\SYSTEM\ControlSet001\Services\Remote Administration Service\Security
"Security"= (a long string of hex digits)

HKLM\SYSTEM\ControlSet001\Services\Remote Administration Service\Enum
"0"="Root\LEGACY_REMOTE ADMINISTRATION SERVICE\0000"
"Count"=00000001
"NextInstance"=00000001

On the next reboot, the following registry keys are modified by the loaded Bo2K service

HKLM\SYSTEM\CurrentControlSet\Services\Remote Administration Service
"Type"=00000110
"Start"=00000002
"ErrorControl"=00000000
"ImagePath"="C:\WINNT\System32\UMGR32.EXE e"
"DisplayName"="Remote Administration Service"
"ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\Remote Administration Service
"Security"= (a long string of hex digits)

HKLM\SYSTEM\CurrentControlSet\Services\Remote Administration Service
"0"="Root\LEGACY_REMOTE ADMINISTRATION SERVICE\0000"

Methods of Infection

Running the trojan either manually or accidentally will allow it to install locally to the system.

If the server component is run, it performs the following functions against the machine:

Runs at Windows startup
Allows open port via an internet connection
Runs stealth, not listed in the task list in Windows 9x and NT

Aliases

Orifice2k.srv
   

Virus Characteristics

This page last modified February 3, 2000.

Back Orifice 2000 allows hackers to take control of a person's PC over the Internet, but only if the victim has been tricked into installing the Back Orifice software on the local machine. It operates as a remote access trojan, or RAT.

Systems Tested:
Bo2K Server - Windows 95 v4.00.950, 4.00.950C and Windows 98 v4.10.1998, v4.10.2222A

Bo2K Client:
Windows 95 v4.00.950 C, Windows 98 v4.10.1998 and v4.10.2222A

Back Orifice 2000 was released as Bo2KUS.ZIP with the following binaries:

Bo2k.exe - 136kb, BO2K server component
Bo2kcfg.exe - 216kb, BO2K configuration tool
Bo2kgui.exe - 568kb, BO2K client component
Bo3des.dll - 24kb, plugin - triple DES module
Bo_peep.dll - 52kb, plugin - remote console manager Client Component:
BO2KGUI.EXE is the client component. When running this control, you will notice it is immediately different from the previous version of Back Orifice by the use of a "workspace". Multiple workspaces can be opened for manipulating systems running the BO2K server. The client allows the following operations on the remote system

  • Ping remote system
  • Query remote system Back Orifice 2000 server version
  • Reboot or lock-up remote system
  • List cached passwords on remote system
  • Query system information about remote system
  • Capture keystrokes on the remote system to a file, and then view or delete the file
  • Pop up a system message box on the remote system with any title and message
  • Map TCP ports to various other services (ie HTTP file server)
  • Manipulate Microsoft Networking shared drives (list, delete, create) on remote system
  • List, create and delete processes on remote system
  • Complete manipulation of the registry on the remote system
  • List video capture devices on remote system and capture either a single frame or AVI movie from these devices
  • Play sounds, either single or in a repeating loop
  • Complete manipulation of files on remote system (copy, delete, rename, transfer to/from client, etc)
  • Compress and expand files on remote system
  • Use DNS services on remote system to resolve hostnames and addreses
  • Stop and start server on remote system
  • Load and unload plugins (both new and old legacy) in server on remote system.

    Plugin Components:
    Two plugin files BO3DES.DLL and BO_PEEP.DLL are provided with Back Orifice 2000. BO3DES.DLL is suggested to be a triple DES module for encryption while BO_PEEP.DLL is listed as a remote console manager. Bo2K also supports old plugins written for the previous version of Back Orifice.

    Server Configuration Utility:

    BO2K comes with a configuration program called BO2KCFG.EXE. This program will allow configuration of the server component, by default named BO2K.EXE. Configurable are plugins as well as the UDP and TCP/IP port usage. Configuration is allowed for the:

  • Network type, choices either TCP/IP or UDP
  • Port number, choices between 1 and 65535 (Default UDP port number of 54321, default TCP/IP port 0)
  • Encryption of packet type, choices either XOR or 3DES
  • Password for server connection

    After the server is configured, the configuration utility can modify additional items of the server component such as

  • Run at startup, choices either yes/no
  • Delete original file, choices either yes/no
  • Runtime pathname, default is "UMGR32.EXE"
  • Hide process, choices either yes/no
  • Host process name, default is "EXPLORER"
  • Service Name in Windows NT, default is "Remote Administration Service"

    Detection requires scanning ALL files due to the 'invalid' filename used.

    Stealth Process Info: Under Windows NT the server attempts to hides it's process by expanding the memory allocated to an existing thread, then copying itself into this memory and then creating a remote thread that runs in the process space of the first existing thread. The original program then terminates and it's process disapears from memory.

    Under Windows9x the server uses a different technique to hide itself from prying eyes. It patches the operating system kernel so that any calls to the operating system functions that list what processes are currently running are passed to the server process instead of the operating system. These new functions in the server module, 'skips' over its own process and thus effectivly 'hiding' the server process. The current 1.0 version of the Back Orifice 2000 server seems to have a bug in it which prevents this second mechanism from working under Windows 98 Second Edition v4.10.2222 A. When run under this operating system the server program causes 'illegal operation' errors and does not go resident. It does however copy the file to WINDOWS\SYSTEM\UMGR32.EXE and install the registry hook to run the server at system startup (if configured to do so), this results in an error message everytime the system is re-started.

    Users not using VirusScan 4.0.25 engine can defeat the trojan manually by scanning in MS-DOS mode for ALL files. Additionally another method involves booting Windows 9x to SAFE mode and removing the registry key and then restarting Windows, and then deleting the file UMGR32~1.EXE in a dos shell.

  •    
    Use current engine and DAT files for detection and removal.

    Removal requires rebooting to MS-DOS mode to first remove the file from Windows memory before deleting the files detected as the virus, trojan or Internet worm.

    Use the command line scanner to detect and remove or delete manually.

    If applicable, remove references in WIN.INI and/or SYSTEM.INI and/or registry for final clean-up measures.

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95