Threat Description

BO2K

Details

Aliases:BO2K, Back Orifice 2000
Category: Malware
Type:
Platform: W32

Summary



Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The first binary version of BO2K was compiled and spread in the US. A few days later there appeared an international version of this backdoor. With the time there may appear lots of versions of BO2K with different compilers and having different features.

As its previous versions, the Back Orifice 2000 backdoor has 2 major parts: client and server. The server part needs to be installed on a computer system to gain access to it with the client part. The client part connects to the server part via network and is used to perform a wide variety of actions to remote system. The client part has a dialog interface that eases the process of hacking of the remote computer.

Here's the screenshot of the client part.

In the same package there comes also a configuration utility that is used to configure the server part of BO2K. By default the server part doesn't install itself to system being run. It should be properly configured to be used as a backdoor. The configuration utility has a wizard that helps to quickly configure the server part. It asks the user to specify networking type (TCP or UDP), port number (1-65535), connection encryption type - simple (XOR) or strong (3DES) and password for encryption that will be the password for the server access also.

Here's the screenshot of the BO2K configuration wizard.

The configuration utility allows to flexibly configure the server part. It can add or remove plugins (DLLs) from the server application, configure file transfer properties, TCP and UDP settings, built-in plugins activation, encryption key, and startup properties. The startup properties setup allows to configure automatic installation to system, server file name, process name, process visibility and also NT-specific properties (NT service and host process names).

Here's the screenshot of BO2K configuration utility.

When the server part is configured to act like a trojan i.e. to install itself hideously to someone's system it writes itself to \Windows\System\ or \WinNT\System32\ folders under a name specified during configuration (default is UMGR32.EXE). Then it modifies the Registry. Under Windows 95/98 server execution string is written to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

under Windows NT the execution string is written to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then the file from which the server part started can be deleted (if it was specified during configuring). After that the BO2K will be active in memory each time Windows starts and will provide access to the infected system for hackers who have the client part and the correct password.

Being active the server part can hide its process or prevent its task to be killed from Task Manager (on NT). The backdoor uses a smart trick on NT by constantly changing its PID (process ID) and by creating the additional process of itself that will keep the backdoor alive even if one of the processes is killed. Besides, the server part adds a random (but large) number of spaces and 'e' at the end of its name, so the server part file can't be deleted from Windows (invalid or long name error occurs) though disk checking utilities don't find any problems with filename. The server part file can be only deleted from DOS or DOS session (if the file is not locked of course).

Back Orifice 2000 like its ancestors has a lot of features. But unlike the older versions the BO2K has many improvements: connection encryption (including strong 3DES), ability to work under NT, to use UDP, to allow internal plugins in DLL format, a more advanced security, more remote system control features.

Here's the list of Back Orifice 2000 capabilities:

1.  Ping and querry server part version
 2.  Rebooting, locking up system, listing of passwords (yes, it
  works - passwords are retrieved from memory), geting system
  info
 3.  Logging keyboard activities, operations with log file: view,
  delete
 4.  Opening a messagebox with specified text and title
 5.  Mapping TCP ports to another IP, console application, HTTP
  fileserver, filename, listing of mapped ports and TCP file
  sending
 6.  Adding and removing network shares, listing of shares
  (including LAN), mapping of shared devices, listing of active
  connections
 7.  Process control (works under NT as well): list, kill, start
 8.  Full access to Registry (though the way it is done is not
  convenient - all keys should be typed manually)
 9.  Playing WAV files (looped playback is possible), capturing
  screen, AVI and video still
 10. Full disk access: listing of directories and files, finding,
  viewing, deleting, moving, copying of files and folders,
  transfer list maintenance
 11. Remote compression and decompression of files (to receive big
  files from remote system)
 12. Resolving full host name and IP address
 13. Flexible server control including each plugins control,
  command sockets manager
 14. Possibility to run any plugins ('buttplugs') and to activate
  any functions in them with specified parameters. For example
  one plugin can initiate a video stream and 'highjack' a
  remote system.

The US version has some serious bugs - sometimes installation of the backdoor fails under NT. On NT shutdown an error messagebox is displayed for some time.

When more version of Back Orifice 2000 appear this description will be updated with new facts.

Detection and removal of Back Orifice 2000 is available with the latest updates that can be downloaded from F-Secure ftp site free of charge.

ftp://ftp.F-Secure.com/anti-virus/updates/avp/

ftp://ftp.Europe.F-Secure.com/anti-virus/updates/avp/





Technical Details: Alexey Podrezov, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More