Threat Description

Back Orifice


Aliases: Back Orifice, BO, CDC-BO, BOSERVE, BOCLIENT, Orifice, Hacktool, Back_Orifice
Category: Malware
Type: Trojan
Platform: W32


There is no virus by this name. However, there is a toolkit from a hacker group Cult of the Dead Cow by this name.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

This trojan horse allows an intruder to monitor and tamper with Windows 95 and Windows 98 computers over the Internet. There is no easy way for a computer user to know the attack is taking place, and there is no easy way to stop the attack once Back Orifice has installed itself on the computer.

In a typical attack, the intruder sends the Back Orifice trojan horse to his victim as a program attached to e-mail. When the e-mail recipient executes the program attachment, the trojan horse opens connections from the computer to the Internet. This allows the intruder to control the computer. The trojan horse is invisible and will restart itself automatically even if Windows is re-booted.

Back Orifice allows a hacker to view and modify any files on the hacked computer. It can create a log file of the computer users actions. It can take screen shots of the computer screen and send them back to the hacker. Or it can simply crash the computer.

F-Secure Anti-Virus detects and disinfects this trojan as Trojan.Win32.BO.

To manually remove Back Orifice, restart the machine in MS-DOS mode (Start/Shut Down/Restart in MS-DOS mode) and delete the BO server from Windows system directory. Usually this can be done by typing in the DOS prompt:



This is a trojan which claims to detect Back Orifice, while in fact it is Back Orifice server itself. It is detected as Trojan.Win32.BO.b.

See: Netbus


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More