Description

A Trojan horse is not really a virus. The BackOrifice is an intruder tool that consists of two pieces, a client application and a server application. Here, you'll find some explanations on how a Trojan horse (BO) intrudes a system and how it protects itself from being detected including detailed information on default backdoor ports.

First of all, Backorifice or BO is not a virus. This is a free Win32 based Trojan program. Do not download or upload software unless you have opted to do so. This trojan can affect Windows 95 and Windows 98 system. It does not work on Windows NT.

Note: According to the lastest security reports, this malware is not able to break through a firewall. Detection - Backdoor Rootkit for Windows Hosts
Using nmap and doing a UDP scan for port 31337 against our hosts is the only way that you can really detect BackOrifice's presence on our network. It's a risk to keep the BO server in your computer.

Designed to work on Windows 95 and 98 machines, this remote administration tool allows the user to remotely control the operating system, including:

• View the contents of any file on the computer
• Execute any program
• System
• Passwords
• Network
• File system
• Registry
• Processes

In addition to that, this backdoor has the ability to transfer files, delete, create and modify files on your hard drive. Ability to list cached and screen saver passwords and capture a screenshot.

Besides, BackOrifice trojan needs to be executed by the user for it to be installed. Best of all, once executed and downloaded by the user it will install itself in such a way that it will be active all the time.

BackOrifice adds an entry to the Windows Registry to achieve this. Besides, the client application, running on one machine, may be used to monitor and control online a second machine.


The presence of BackOrifice (BO) installed in the computer will not be evident to the affected user. The size of this trojan file is 124,928 bytes. It can also be slightly more than this size.Troj/NeoBO-A is a Trojan for the Windows platform.



BackOrifice's Features List:

• Enables to restart the computer.
• Executes any program.
• Forces the computer to lock up or freeze.
• Session logging
• Multiple server connections at once
• Process control, start, stop, list
• Graphical remote registry editing
• Access console programs
• Network redirection of TCP/IP connections

Latest version known:

• backdoor.win32.bo.a
• Backdoor IRCNite pl
• Backorifice 1.20
• Backorifice 1.3
• Backorifice 1.41
• Backorifice 2000 1.0 International

BackOrifice Screenshots: Designed with a client-server architecture.

Actions are performed on the server by sending commands from the client to a specific ip address.

In the event you do inadvertently install a Trojan horse and if the server machine is not on a static address, it can be located by using the sweep or sweeplist commands from the text client, or from the gui client using the "Ping..." dialog or by putting a target ip of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the client will look in the same directory as subnet list and will display the first line of the first file it finds with the filename of the subnet.

Overall, communication packets used by Backorifice are encrypted with a user definable key, so only the intended client can control the server.

BO2K Configuration Wizard
Br> Backorifice Win32 GUI Client 1.20 Patched

Three basic steps to removing Backorifice:

• Remove its Registry entry
• Shut down and restart your system
• Then delete the actual program.

NOTE: This information is supplied for educational purposes only.
The best defense against BO Trojan is to follow safe computing practices.
(January 26, 2012)