How to Detect Back Orifice
From your Antivirus Software Guide

How to Detect Back Orifice

Difficulty Level: Hard    Time Required: 30 minutes

1. Click on the Start button and select "Run..." from the Start menu.
2. Type in telnet 127.0.0.1 12345 to launch a Telnet window. If a line appears with the word NetBus you probably have the NetBus Trojan.
3. Repeat steps 1-2 but enter telnet 127.0.0.1 12346 to launch a Telnet window. If a line appears with the word NetBus you probably have the NetBus Trojan.
4. Close out all applications and type netstat -an|more into the Run... box and click on "OK." If you get a response of UDP 0.0.0.0:31337 *:* you probably have the Back Orifice Trojan.
5. Responses of TCP 0.0.0.0:12345 *:* or TCP 0.0.0.0:12346 indicate a probable infection of NetBus on a system.
6. Enter regedit into the Run... box and click on "OK" to launch the Registry editor.
7. Click on plus symbol for each directory, in order: HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices.
8. Look for a file with the name ".exe", nothing else attached, or one with a strange name. If it is approximately 122 KB in size you probably have the BO Trojan.
9. Search for windll.dll in the C:\\Windows\System directory to rule out older Back Orifice infections.
10. Look for strange symptoms on the computer, such as files disappearing, CD tray opening and closing with no prompting, indicating a possible infection.
    

Tips:

1. Use updated antivirus software when available to rule out common malware.
2. Steps above are only designed to identify original Back Orifice and Netbus Trojans.
3. Use more than one method and/or antivirus program to detect and remove malware, especially Trojans.

Related Information:

• ER Center & Downloads
• Trojans
  

More How To's from your Guide to Antivirus Software

Put this How To on your PDA!