Back Orifice - Trojan Horse

• How it works:

• The Back Orifice virus, better known as BO, is a trojan horse program. It comes as two pieces, the server and the client. The server program is installed without the system owners knowledge and allows anyone with the client to have access to the fundemental layers of the infected computer. Practically anything can be done over the remote link (the Internet), including adding and removing parts of the system registry, viewing the contents of any files and adding or removing files remotely.
• The client works by scanning a range of ip addresses for a response to a particular TCP port. When the BO server (boserve.exe) is installed on a machine, either by launching from an infected shareware program or by viewing an infected graphic file, or other means, it opens a specific port (31337) to the internet connection. Anyone with the scanner program will then see the infected machine when a scan of it's IP address is commenced. There are two ways to remove the server from an infected machine, either find the registry keys and remove them or download and run the antidote software. I have provided two different software programs. Antigen is the best, (IMHO), but either should suffice. After you have removed the offending codes, for those of you who want to see if you are being scanned, you can download either of the two programs listed below (BO Freeze, or NoBO) to tell the scriptkiddies scanning your system that you know what they are up to. NukeNabber can also be installed to watch more than just port 31337.

  Download the antidotes here:

  • Antigen - IMHO, the best BO remover - antigen.zip
  • AntiBO - Works OK, I guess - anti11s.zip

  Fight Back!

• Warning, use of these programs may cause havoc to the script kiddies computer when they scan you! :)

  • BO Freeze: Cause the scanners BO Client to freeze up! - bof.exe
  • NoBO: Send a message to the scanner! - nobo.exe