NOTE: This page was cloned (copied) by a cracker recently and placed at another URL in Geocities with a TROJAN program falsely labeled as Chris Benson's, BoDetect for download! (Fortunately, it appears that very few people IF ANY were fooled by the fake page before Geocities removed it.)

This page will always be located at (sub-dirs created MAR 2001):
< /homestead/Athens/6939/avt/bo/thebop.html >
which is (since YAHOO changed things after buying Geocities) the same as:
< /homestead/thestarman3/avt/bo/thebop.html >

The URL (location) can be verified by checking The Starman's PGP Public Key entry which is listed as:
The Starman <www.geocities.com/Athens/6939/Feedback.html>

So, if you see this page in any other location, please notify The Starman immediately (AND if the 'fake' page is found at Geocities, then please inform a Geocities volunteer too so they can remove it quickly).

---

If you're interested in a program that makes it possible to catch crackers in the act of "trying to break into" your computer, you should try out the free BoSpy program. But let's make sure your system isn't infected first!

---

If you were sent to this page by an email message stating that
someone found "Back Orifice" (abbrev. BO) on your computer,
be thankful they informed you!


---

I used to do active BO ping sweeps looking for infected users in order to warn them, however, there are a number of new Anti-BO programs that make no distinction between the kind of BO commands sent to a computer (or just a simple BO-ping in in some cases!) before they grab the BO client user's IP# and send a complaint to his ISP! IF ALL the wanabee crackers in the world knew this, that would be a good thing. However, this also means that I can no longer look for BO infected computers to warn their clueless owners! And there are still more than enough dumb kids out there who will continue to hear about BO, and just have to try it despite the fact that they'll probably get kicked off their ISP! (The worst thing about this present situation is: Someone might be observing you right now, but anyone like me who would like to warn you will NOT take the risk of being kicked off their ISP.)
As is often the case in life, your safety on the Net now depends upon how wise you are in using your computer! My page about "How To Keep Viruses and Trojans Out of Your Computer " will help a lot in keeping your data safe ( take next link: item #1 below ).

• " I've never heard of Back Orifice before. How do I know you aren't trying to get me to download a virus/trojan?"    ANSWER:
  
  1. I've written a page to help you avoid downloading viruses or trojan programs !
  2. Here's a whole page of online references about BO !
  3. You can write to "pchelp," the author of the largest (in my opinion) Anti-BO site on the Net and ask him about me (this link: jumps to pchelp's listing on my BO References page).
  
  
• " So, what can someone who puts/finds the BO trojan on my computer do with it? Why is it such a threat to an unwary Windows™ user? "
  What can be done with BO on your computer!

Most likely you have what I am calling here the generic form of the BO program.  This is easy to find on your computer, if you know what to look for and where!

Checking for the Presence of the generic BO program

If you are a person who has absolutely no time at all or you feel that learning just one more thing about your computer will break your head, I have good news for you: a windows program that will autodetect AND remove BO from your computer. You should proceed immediately to my page about:
BoDetect by Chris Benson (CBSoftSolutions).

---

  Before, you even begin reading about BO, make sure that
your Windows Explorer 's (or My Computer 's)
" View > Options... " menu is set as follows:

---

A.  The quick and easy check for the "generic form" of BO on your computer:

From START, open the "Find" > "Files or Folders..." dialog window. Make sure that "Details" is selected from the "View" menu. Enter WINDLL.DLL exactly as it appears in the "Named:" box in the pic below, and begin the search ("Find Now"). If the file appears in the found list area as it does in the pic below (circled in red), then you definitely have had a BO infection:



If you find windll.dll on your computer, it may be important to note the creation date and time. Right-click on the file name with your mouse cursor, and choose "Properties" from the menu. Look for and write down the "Created" date and time. This should be the actual day and time that BO was last installed on your computer! This could be a key factor in helping you figure out how it got there. You may now delete this file.

If you didn't find this file, does that mean your computer is BO free? No. This file allows crackers to record your keyboard strokes, but the main BO executable can exist without it. You could have a Non-generic form of BO.
You should also note: that different forms of BO can happily coexist on the same computer; so you could have multiple forms of the BO infection!

---


B.   Let's see if we can find the server program itself:

The BO server employs a few tricks in order to help it remain concealed. One of them keeps it hidden from the standard Task List. The fact that it has no icon at all makes it difficult to spot when scrolling through all the files in the WINDOWS\SYSTEM directory ( its normal location). And it's more difficult to check for this file using Find/Files because it doesn't have a name that fits the usual conventions. (See: Notes on the BO Server's tricky Name Game.)

There are essentially three methods we could use:
1. Tedious time-consuming method: Look all through your SYSTEM directory for it.
2. Use various type, size and date limits within the FIND/Files program.

( Unless you're terrified about learning some "DOS" commands, skip this method for now and come back to this link at a later time.)
3. Use a simple DOS directory search (DIR command).

In order to get into the SYSTEM directory (or folder if you prefer), you type:
" cd system " (without the quotes) and press the ENTER key.
Now we're ready to look for the generic form of the BO server.
Your DOS prompt should look just like the one at the bottom of the pic below (C:\WINDOWS\SYSTEM >_ ).   Now type in:    DIR EXE~1     [ The symbol (~) between EXE and 1 is a "tilde" mark. ]




If the data that I've marked in RED is output on your screen, then you've found the BO trojan on your computer!
The size and date of the EXE~1 file should be 124,928 bytes and dated Aug 24, 1996. If it isn't, then your computer was probably targeted with more than the simple generic form already. (NOTE: No other files should exist with this name. If you know of one that does, please inform me!)

Now let's see if it's running in memory:
At the DOS prompt, type in:    DEL EXE~1   Trying to delete the BO server...


If you see the "Access denied" output, then you know that the BO trojan is already running in your computer's memory!
If you were able to delete this file (especially if it was not the exact size I listed above), then make sure you do NOT empty it from your RECYCLE BIN. Please write to me using this form, stating exactly what happened and the file's size and date.

Why does BO start running every time I turn on my computer?

When the BOSERVE.EXE trojan program was first executed on your computer, it placed an entry to itself in your REGISTRY file! This entry is located in a special key called the "RunServices" key which executes any programs listed there as soon as Windows™ 95/98 has loaded itself. There are a couple other keys like this in the Registry too. You can read more about them here:
Readme file for REGCheck.zip.

If you'd like to see a list of all the programs that are started from your Registry, you can use a batch file that I made for that. Just click on this link to download my program the package:
   REGCheck.zip   (only 7kb !)

remote client/server utility, but no one in his right mind would ever leave the "generic form" of a stealth program running on a computer unless he was just plain ignorant, or intended to do something devious with it!
As an aid to computer consultants, this could have been a very handy tool [in a different form], but the fact that BO's password capabilities and its encrypted UDP transmissions have already been cracked, makes it very dangerous to use. Even the client part of BO was found on occasion to be sending data back to its makers (see "pchelp's" website from my BO References page). So beware all you cracker wannabees! (Conclusion: BO is not safe to use for any valid purpose.)
There's really only one use for BO (and why it's being given away for free): to make it easy for all those (kids?) experimenting with invading other people's privacy to do the "dirty work" of its creators as they spread BO onto computers of unwary Windows™ 95/98 users. BO comes from a group (the cDc) that says they are disgusted with the lack of secruity in these MS operating systems, and that's why they wrote it. So, every time a twisted mind trashes a computer or steals information using BO, that message (among others !) is being spread.

---

WARNING! Many computers now run programs that will log pings on their Internet ports and record both the time and the IP Address they came from. If you use the client part of Back Orifice to search for BO servers, you may be subject to immediate removal from your ISP for such activity!   You have been warned.

---

BACK TO THE TOP     Back to the BO References page

---