BoSniffer is Really a Trojan VERSIONS AFFECTED
DESCRIPTION FROM KEN WILLIAMS, USED WITH PERMISSION: I recently came across a program called "BoSniffer.zip" that the author claims will "block key points in the registry from BO as well as search for existing installs of the backdoor." Close examination has revealed that this is actually a BO server with the "SpeakEasy" plugin installed. If you run "BoSniffer.exe", the BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will "attempt to log into a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes." This program, "BoSniffer.zip" is currently being widely distributed as a "cure for Back Orifice infections". It is probably being distributed with other software packages and with other names too. Listed below are relevant details about this program. File Sizes (in bytes) MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f Evidence that BoSniffer.zip is really BO Server with SpeakEasy
Plugin: sector 0x028C38 sector 0x0303F0 - sector 0x0306D8 sector 0x031848 sector 0x0318A8 - sector 0x031980 You get the idea by now, hopefully. SOLUTION REMOVE BACKORIFICE MANUALLY ! Instructions on removing BO Servers from compromised servers can be found at: http://www.iss.net/xforce/alerts/advise5.html To learn more about NT Security concerns, subscribe to NTSD Credits- Originally reported by Ken Williams - Posted on The NT Shop on August 31, 1998 |
Back Orifice Remover is a Trojan
0 comments
Hide comments