Uninstalling BackOrifice
Uninstalling BackOrifice
(Charming logo, isn't it?)
Never heard of BackOrifice? Let me enlighten you: BackOrifice is a relatively new utility released by the Cult of the Dead Cow, a group that hackers and would-be hackers should be very familiar with. What does it do? Would it frighten you to know that I could open a DOS session on your Windows computer without your knowledge and run any command you can? Or that I could lock your computer solid, forcing you to reboot? Or even reboot the computer for you?
I thought it might. The good news is, in order for me to do this, I have to somehow install the BackOrifice server on your machine. This isn't easy... but it's easier than you think. Not two weeks ago, there was a vulnerability found in the three most popular e-mail clients (Exchange, Outlook, and Eudora) which could be used to do it. It's not the only method. It's not even the easiest method. And there are more methods being discovered right now, faster than you could ever hope to repair them. And ask yourself this: have you repaired that e-mail problem yet?
Someone out there is thinking "Ha, BackOrifice is a Win95/98 program, and I use NT!" Well, BackOrifice works on NT just fine. It just doesn't have any more access to the machine than you do. And most people I know who use NT log on with local administrative privileges. That makes your system just as vulnerable as any Win95 machine. Sorry. Although you might note that a few simple changes in how you use your machine will make you a good deal less vulnerable to BO than most people. But not safe, by any stretch of the imagination. (Especially since development on the NT version is already underway.)
Okay, so BackOrifice makes us all nervous. Especially those of us who don't know how to get rid of it. Here's the scoop. Whether you think someone may have put it on your system, or know someone has put it on your system, or put it on your system yourself and now suddenly realise that you have no clue how to get rid of it -- I don't care. And you probably don't either. You just want it gone.
So let's concentrate on seeing whether it's installed and getting it out of there.
Load up the Windows Explorer. Go to the Windows directory. View the files in this directory, and find the program regedit.exe there. Double-click it.
This is the registry editor. The registry editor is a tool with two basic rules: First, look all you want, that can't hurt anything. Second, don't change anything unless you're SURE you know what you're about. It is very possible to destroy your entire Windows installation if you do the wrong thing in here. However, this is the only place to get BackOrifice off your system. It all works like the Windows explorer, which you understand quite well. So follow this path, exactly, to get down to the right area:
You'll notice down in the bottom of the screen, it lists the path you took to get here. If you followed the directions, it should be identical to the status bar image below:
If you do any serious work on your system, you probably have a few other things in there, like at the very least a virus scanner (you DO scan for viruses every time you boot, right?) and in all likelihood some sort of graphics adapter control panel... especially if you have a 3D accelerator. I've removed them from the image above, because if it hasn't occurred to you yet, knowing what you run in here normally is very valuable information to the potential BO user.
This is where BackOrifice hides. See the " .exe" entry up there? (Yes, that's space-dot-E-X-E.) That's what runs the BackOrifice server. It does NOT have to end in ".exe" -- The BackOrifice server can be installed under ANY name. I've installed it with no extension at all and with the .xxx extension... still runs, no problem.
Now go to the System folder and sort the files by size (from the View menu, select Details, and then click on the heading that says "Size" in the file list). Scroll around until you have all the files that are around 120K to 125K in the window. These are the likely candidates to be BackOrifice.
One of these files is probably in your RunServices folder in the registry, if BackOrifice is running on your system. So if you don't want it to run, delete that value by highlighting it -- just like a file in the explorer -- and hitting the "Del" key. You'll get a confirmation dialog, hit "OK", and then it will be gone. If none of them are in there, you MIGHT be able to rest easy.
Might is the operative word, unfortunately. If worst comes to worst, you won't be able to locate it.
Here's the good news: the people using BackOrifice are lazy. They think using BO will make them elite hackers (excuse me, I mean "31337 hax0rs"). The vast majority of them will not use the nastier methods of concealment that can be employed, because it's too much trouble. So you can quite probably relax if there's no 122K service loaded when you boot the machine. No serious hacker would stoop to using a prepackaged tool. Padding the executable to a different size won't occur to eighty percent of the people who use it. The other twenty percent just won't bother. (Not that padding the executable is all you need to do, but come on, if padding the executable is too much trouble... then hacking just isn't in your future.)
I can't make everything safe. But hopefully, after reading this... you're safer than you were before. Microsoft has said repeatedly that the best thing we can do to make the internet safe is to educate the users, so if you would... spread the word. The important thing is to get the knowledge out there where it can help people.
BackOrifice is far too easy to remove from the machine to be a serious attempt to breach security. If you think the Cult of the Dead Cow is some sort of subversive terrorist group, I can assure you that anyone who can write this program could have done a MUCH better job of hiding it. BackOrifice is designed to be exactly what they say it is -- a statement. "Your computer is not secure," they're saying. They want Microsoft to do something about this. But why take my word for it? Go see the Cult of the Dead Cow web site. Get the rationale straight from the horse's mouth. (Be sure to see their response to Microsoft.) There are very few organisations that I trust. The Cult of the Dead Cow is one of them. I've followed cDc for many, many years.
Feel free to link to this page. And if you've been helped here, or by any of the white papers I've posted, do me the favor of helping the next person you can. If somebody has a problem and you can fix it, please, do so. Post a message somewhere, a newsgroup, a mailing list, do a web page on it. Help people. We all need some help now and then. Maybe if we start handing it out more, we could expect to get it more readily, too.
