Skip navigation
Menu
Security

Back Orifice Remover is a Trojan

BoSniffer is Really a Trojan
Reported August 31, 1998 by Ken Williams on NTBugTraq

VERSIONS AFFECTED

  • Windows machines infected with BackOrifice

DESCRIPTION

FROM KEN WILLIAMS, USED WITH PERMISSION:

I recently came across a program called "BoSniffer.zip" that the author claims will "block key points in the registry from BO as well as search for existing installs of the backdoor."

Close examination has revealed that this is actually a BO server with the "SpeakEasy" plugin installed. If you run "BoSniffer.exe", the BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will "attempt to log into a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes."

This program, "BoSniffer.zip" is currently being widely distributed as a "cure for Back Orifice infections". It is probably being distributed with other software packages and with other names too. Listed below are relevant details about this program.

File Sizes (in bytes)
-----------------------
231068 BoSniffer.exe
108573 BoSniffer.zip
MD5 fingerprints and strings (checksums)
------------------------------------------

MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f
MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21
MD5 (BoSniffer.exe) = 63748087b2e1598fcf34498b0295212e
MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21

Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plugin:
---------------------------------------------------------------------

sector 0x028C38
irc.lightning.net:7000:Hey MASTER where are u!!!

sector 0x0303F0 - sector 0x0306D8
BO ButtPlugs and goodies...http://www.netninja.com/bo.html
AJ Reznor: The pierced, tattooed grand master god of flame wars!
Who is John Galt?
Yes, you too can own my box with this special introductory offer of $0.00!
I"m sad to see Kontrol Faktory go away.
Use Linux!
This box is now property of the Illuminati.
<<tap>> <<tap>> <<tap>>...Is this thing on?
Where do *YOU* want to go today?!

sector 0x031848
SpeakEasy.dll

sector 0x0318A8 - sector 0x031980
#BO_OWNED with IRC commands:
Own Me @ .NOTICE .JOIN #BO_OWNED host server :Owned USERNICK BO
.QUIT Psssst...Speakeasy was told to shut down
.NOTICE #BO_OWNED :Psssst...Speakeasy just started up

You get the idea by now, hopefully.

SOLUTION

REMOVE BACKORIFICE MANUALLY !  Instructions on removing BO Servers from compromised servers can be found at: http://www.iss.net/xforce/alerts/advise5.html

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Ken Williams
- Posted on The NT Shop on August 31, 1998
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024