Telcom Customer Service has received some reports of Back Orifice on Resnet users' computers. This page will help those users to remove Back Orifice from their computers.
What is Back Orifice?
Back Orifice is a system administration tool written by a group of programmers called the Cult of the Dead Cow. It is not a virus, but it does pose serious security threats. Back Orifice allows a user to manipulate your machine over the internet. Back Orifice allows a user to access some capabilities of the Windows 95/98 operating system that cannot be accessed by a user sitting at the affected machine.
 top
How do I tell if I have Back Orifice?
The easiest way to tell that Back Orifice is not on your machine is to not download files from web sites you feel are untrustworthy, and by not running attachments to e-mail that come from users you do not know, or attachments with a nature you are not certain of. Back Orifice can attach itself to any program or file, or run by itself. It runs and installs using very few system resources. There are a few telltale signs that Back Orifice is installed on your machine. Back Orifice always leaves an entry in the Windows Registry that can be quickly identified. It is in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft...\Windows\CurrentVersion\RunServices
The Windows command Regedit can be used to find and delete this Registry entry, however, Back Orifice simply writes the key back to the Registry each time it is run.
Explorer and File Find can also be used to hunt down Back Orifice. As a first step, look for a file named WINDLL.DLL in the Windows\System directory. Back Orifice uses this file for its keystroke logging. If you delete it, but it reappears when you restart your machine, it is incredibly likely that you have somehow installed Back Orifice on your machine.
top
How can I remove Back Orifice?
Telcom Customer Service recommends the following programs in case of Back Orifice infection.
- BODetect
This program will detect all instances of Back Orifice currently running on your systems and kill those processes instantly, without requiring you to reboot. It also removes the Back Orifice entries from your Registry and renames the actual Back Orifice executable to a safe name.
- Back Orifice Eradicator
Back Orifice Eradicator removes the Back Orifice program from your system. Click "Memory Scan" to see if Back Orifice is running on your computer. If it is, the server is removed from the registry and stopped.
- BOshield
BOshield will detect and remove Back Orifice from your system. It can detect and disable running instances of Back Orifice. It can either rename or delete the file, as according to user preference.
top
What do I do after I remove Back Orifice?
Since Back Orifice can log your keystrokes, it is recommended that you change any passwords you use, even on remote systems.
Unfortunately, since Back Orifice allows total access, any information of a sensitive, personal, or otherwise exploitable nature could have been gained by the intruder. Things commonly searched for when your computer has been intruded are the following:
- Passwords
- Credit Card Numbers
- Banking or Financial Records
- Communications of a confidential nature
- Encryption keys
top
|
