Back Orifice default installation

Risk Level: High risk vulnerability  High

Check or Attack Name: BackOrifice
Platforms: Windows 95, Windows 98
Description:

Back Orifice is a backdoor for Windows 95/98 released by the hacker group Cult of the Dead Cow. This backdoor allows remote users to totally control your machine. If discovered, Back Orifice should be removed immediately.
Remedy:

Remove Back Orifice immediately by editing the RunServices registry key and removing the Back Orifice executable.

To remove a default installation of Back Orifice from your system, follow these steps:

  1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedit, and click OK.
  2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices registry key.
  3. Look for an entry called (Default) with a value of .exe.
  4. Delete this entry and reboot the machine.
  5. Delete the file exe~1 in your Windows system directory (probably c:\windows\system).
References:

Cult of the Dead Cow (cDc), cDc Home Page, http://www.cultdeadcow.com

ISS Security Advisory #5, Cult of the Dead Cow Back Orifice Backdoor, http://xforce.iss.net/alerts/advise5.php3
X-Force Logo
Know Your Risks