What's worse than a virus on your system? A program that gives control
of your computer to someone connecting to it through the Internet.
Way back in the day, a group of hackers known as the Cult of the Dead
Cow (CDC) created an infamous program called "Back Orifice". The
program was "a remote administration system which allows a
user to control a Win95 machine over a network using a simple console
or GUI application. On a local LAN or across the internet, BO gives its
user more control of the remote Windows system than the person at the
keyboard of that machine."
This was a cutting edge hacker tool in its day and was definitely a
serious threat as the Internet was just getting started.
Manual Method of Deletion for Back Orifice
Here's a manual method of detection and removal of the Back Orifice program from your Win95 or Win98 machine.
The
program installs itself (unless otherwise defined by the person who
installed it) as .exe (space dot exe), or unnamed. Usually, it will
locate itself in the C:\Windows\System directory. It will show up as a
blank spot if viewing the files on your C: drive in Windows Explorer.
Click on View> Options (or Folder Options using IE 4.X) and make
sure that Show All Files is checked and that Show Extensions for Known
File Types is also enabled.
The catch is that you will not be
able to delete the program if the system is running, because the
program is designed to run at boot-up. To get around this, you will
need to delete the program's reference in the system Registry.
Warning:
IF
YOU DO NOT KNOW WHAT THE REGISTRY IS, OR YOU ARE UNCOMFORTABLE EDITING
THE REGISTRY, FIND SOMEONE WHO KNOWS WHAT THEY ARE DOING TO HELP YOU!!!
CORRUPTING THE REGISTRY CAN CRASH YOUR SYSTEM!
You have been warned....
In the Registry, left-hand window:
- Go the HKEY_Local_Machine, click on the + to expand the key.
- Expand SOFTWARE
- Expand Microsoft.
- Expand Windows.
- Expand Current version.
- Left-click once on RunServices.
The key value for the boserve.exe program will appear in the right-hand side. Delete the entry for ( .exe).
Reboot your system. You can now delete the unamed executable from the c:\windows\system directory.
This
will not fix every installation of the boserve.exe program because it
can be renamed by the person who installed it on your system or placed
in a different directory. This will work only on installations which
were done with no customization to the program.