Trojan Horses

Introduction
On this page I'll try to give some background information on two well-known Trojan Horses. The first one is called Back Orifice... the second one NetBus. Besides talking about what you can do against these two "viruses" (I'm not sure if virus is the correct word for BO or Netbus, but to keep this page easy to read I'll use that word) the question remains what other unknown viruses or Trojan Horses might be running on your system without you knowing? I'll give examples of detecting the Trojans, but these are for older versions of the trojans only. Currently there are so many versions of Back Orifice (BO2K) and NetBus (NetBus 1.2, 1.53, 1.60, 1.70, 2.0 Pro, 2.01 Pro ...) trojans. And, besides NetBus and Back Orifice there are many more trojans we will not mention in the rest of this document because it would simply become to difficult to read. A few of them are: Attack FTP Installer ; BackDoor ; DeepBO ; Executor ; FTP Trojan ; FTP99 ; Happy99 ; NetMonitor ; SubSeven etc.

Panic?
Should you panic? Personally, I don't think so. I have been on the Internet quite some time now and there are some things you should just keep in mind and be careful. My motto is "better safe than sorry" so what I don't do is, for example, accept files from people on IRC. The first thing I do when I try some sort of new Internet application is to turn off all auto-accept options. I want to keep in control. I do not open email attachments I do not trust. Just to be sure I scan the email attachments I do trust first, before opening it.

As an example to what trojans can do on your system, here are a few of the capabities of Back Orifice 2000:

  • Rebooting, locking up system, listing of passwords etc.
  • View and edit the registry (create a key, set a value, get a value, delete a key, delete a value, rename a key, etc.)
  • List directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes.
  • Display a message box.
  • Logging keyboard activities, operations with log file: view, delete.
  • Adding and removing network shares, mapping of shared devices, listing of active connections etc.
  • Playing WAV files.

These are just a few things I do as a precaution. Who can you trust? That's hard to answer, maybe it doesn't even have to do with trust. Somebody you know might have a virus on his/hers system without him/her knowing it. When he or she uploads something to you, you might have it too. Another good example: I needed information about a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it contained a macro virus. I discovered it on time, because I'm careful. That's probably the most important thing you can do against viruses.

What do they do?
Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door" is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other people, who can then do virtually anything on your system, including deleting files. The difference between Back Orifice and Netbus is that Netbus infects Windows NT as well as 95 and 98. Older versions of Back Orifice are said to be only capable of infecting Windows 95/98, but the new BackOrifice 2000 (or BO2K) appears to be capable of infecting Windows NT systems too. As said before, once a system is infected, the one accessing your PC can do virtually anything, possibly even turning on your microphone and listen to what you are doing!

How do people find an infected PC on the Internet?
Some versions of the trojan horse report the IP address of a PC, once connected to the Internet, on an IRC channel. Other methods used are port scanners, which scan a range of IP addresses/ports to find a PC which has "the backdoor open". Not all versions of the trojan horses are accessible by anybody with a client, some are even "customized" with password protection, which means that if a system is infected, it can only be accessed by the person who has the password.

If you want to find out if you are infected by one or more trojans, what I recommend most is to search for information on trojans on the Internet at companies such as McAfee and Symantec. They usually have very good info about trojans and viruses.

How to find out if you are infected with BO or NetBus
I heard and read about a few methods on how you can possibly find out if you are "infected" by Back Orifice or Netbus. Note that these detection hints are for older versions of NetBus and Back Orifice only (not for example for Back Orifice 2000 or BO2K !). If you run these tests and don't find anything suspicious, this doesn't mean you are not infected. The following methods are just a few suggestions you can try, and do not guarantee anything. You should try the following methods at your own risk.

  1. Netbus might be found with telnet. Open a dos box and type:

    telnet 127.0.0.1 12345
    telnet 127.0.0.1 12346
    Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system is infected with Netbus.

  2. For both Back Orifice (old version) and Netbus (old version) there is another possible way to find if you are infected with one of them. Close all your applications, especially those who point to network-shares. Open a DOS box and run the following command:

    netstat -an|more

    Back Orifice possibly replies with:
    UDP 0.0.0.0:31337 *:*

    NetBus possibly replies with:
    TCP 0.0.0.0:12345 *:*
    TCP 0.0.0.0:12346 *:*

    Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious.

  3. You can try looking in your system registry with regedit (recommended for advanced users only!) and take a look at:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.

    "Finding Your Back Orifice" is a site which shows screenshots of an infected system registry and a clean system registry.

  4. If weird things start happening on your system, for example: missing files/directories, suddenly opening and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.
  5. Back Orifice: Another method of finding out if your system is infected by BO (older version) is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's there you are possibly infected.

I found one! What now?
Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the trojan horses itself. For that reason you have to be very careful which removal application you are going to use.

What I recommend most, again, is to use a well-known brand virus scanner which can detect and remove viruses like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure! Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month. PC Help is a site which also shows some methods how to remove Back Orifice from your system.

On this page you can find a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure to read the complete instructions of the application before you use it).

Some providers have special email addresses at which you can report trojan horse "attacks". If you found out that your system is infected with Back Orifice or Netbus, and you know how it got infected, it might be wise to contact your provider if they have a special email address to do so and explain the situation to them. This might help avoiding other people to get infected too.

Other sites/pages for more information about Back Orifice and Netbus:

User login

Shout Box
Marcel: hello!