Back Orifice Detection and Removal
What's worse than a virus on your system? A program that gives control of your computer to someone connecting to it through the Internet.
By now you've probably heard of the infamous program "Back Orifice" developed by a group of hackers called the Cult of the Dead Cow (CDC). They've produced a program that "is a remote administration system which allows a user to control a Win95 machine over a network using a simple console or GUI application. On a local LAN or across the internet, BO gives its user more control of the remote Windows system than the person at the keyboard of that machine."
However, this program must be installed on your computer for this to actually work. The most common ways are downloading unknown programs from untrusted web sites (especially "warez" pages), running email attachments from people you don't know, or by using IRC. Basically, you can get this program the same way you might get a virus.
Manual Method of Deletion for Back Orifice
Here's a manual method of detection and removal of the Back Orifice program from your Win95 or Win98 machine.
The program installs itself (unless otherwise defined by the person who installed it) as .exe (space dot exe), or unnamed. Usually, it will locate itself in the C:\Windows\System directory. It will show up as a blank spot if viewing the files on your C: drive in Windows Explorer. Click on View> Options (or Folder Options using IE 4.X) and make sure that Show All Files is checked and that Show Extensions for Known File Types is also enabled.
The catch is that you will not be able to delete the program if the system is running, because the program is designed to run at boot-up. To get around this, you will need to delete the program's reference in the system Registry.
Note: Once you have successfully removed this program, it would be very wise to change your internet password, your bank codes, and anything else that is laying around on your computer, as it is very possible for the hacker to have taken these!
Warning:
IF YOU DO NOT KNOW WHAT THE REGISTRY IS, OR YOU ARE UNCOMFORTABLE EDITING THE REGISTRY, FIND SOMEONE WHO KNOWS WHAT THEY ARE DOING TO HELP YOU!!! CORRUPTING THE REGISTRY CAN REQUIRE A REINSTALL OF WINDOWS!
In the Registry, left-hand window:
- Go the HKEY_Local_Machine, click on the + to expand the key.
- Expand SOFTWARE
- Expand Microsoft
- Expand Windows
- Expand Current version
- Left-click once on RunServices
The key value for the boserve.exe program will appear in the right-hand side. Delete the entry for ( .exe).
Reboot your system. You can now delete the unamed executable from the c:\windows\system directory.
This will not fix every installation of the boserve.exe program because it can be renamed by the person who installed it on your system or placed in a different directory. This will work only on installations which were done with no customization to the program.
Automatic Detection and Removal of Back Orifice
Update - Automatically detect and delete the infamous "Back Orifice" program from from Win95 or Win98 computer with this free "BoDetect" program developed by Chris Benson. Download the program from PC Hell. (127k)
This program will automatically detect the Back Orifice program and rename it to a safe name (BACKORIFICE.BOD), which you can safely delete by using the Start, Find, Files or Folders option in Windows 95 or Windows 98.