McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Back Orifice

This page shows details and results of our analysis on the malware Back Orifice

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 1998-10-15

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4010 (1999-01-27)

Updated DAT

4010 (1999-01-27)

 Minimum Engine

5.1.00

File Length

124,928

Description Added

1998-11-24

Description Modified

2002-10-16

Malware Proliferation

Characteristics

This is a software for remote computer control. It consists of two components - a server program and a client program. There are two types of client - command line driven and GUI. When the server program is run on a Windows95/98 machine, it copies itself to the local disk under the name " .exe" (first character is space, size is 124,928 bytes) and installs a reference to that file in the registry so that it is run every time the machine restarts. The program hides its own presence - it is not visible as a task although it is running permanently in the background awaiting for commands comming from the client through the network. After the server program is installed on a computer, the person controlling the client has remote control over the machine running the server program. This requires both machines to be connected to the Internet. This control includes recording the keystrokes pressed, restarting or hanging the machine, running, accessing, modifying and transferring files. It can also transmit screenshots. The Orifice software is functionally very similar to Netbus software of the same kind. There are also many commercial programs for remote control (like Carbon Copy, SMS, PC-Anywhere) and the only substantial difference is that Orifice software tries to conceal its presence when active. The software also has a program to reconfigure the server application. Filename, TCP/IP port, registry key, password for client-server data exchange and additional DLL can be configured.

Symptoms

Various symptoms including unexplained loss of mouse control, opening/closing of CD-Rom tray, keyboard input, dialogue message boxes popping up with strange query or messages, existence of file " .exe" as mentioned above.

Method of Infection

Running the server component either accidentally or on purpose will directly install the trojan to the local system whereby the next Windows restart will load it into memory.

Removal

Use current engine and DAT files for detection and removal.

Removal requires rebooting to MS-DOS mode to first remove the file from Windows memory before deleting the files detected as the virus, trojan or Internet worm.

Use the command line scanner to detect and remove or delete manually.

If applicable, remove references in WIN.INI and/or SYSTEM.INI and/or registry for final clean-up measures.

Variants

United States - English