Non-NT Windows Clients subject to New Trojan

Back Orifice
Reported August 12, 1998 by Microsoft


  • Windows 3.0
  • Windows for Workgroups
  • Windows 95
  • Windows 98


The Cult of the Dead Cow released a program called Back Orifice that can be used as a trojan backdoor into vulnerable machines. While the software does need to be installed on the client before it can be used to penetrate the system, several means are readily available to do so -- including the use of Java applications embedded into a Web site. Accessing such a site could lead to the trojan being installed without the users knowledge.

Back Orifice allows several means of access and controlling the trojaned machine, including :

  • remotely controlling and monitoring a Windows computer
  • reading everything that the user types at the keyboard
  • capturing images that are displayed on the monitor
  • uploading and downloading files remotely
  • redirecting information to a remote internet site.

According to a security advisory posted by Internet Security Systems (ISS):

The BO server will do several things as it installs itself on a target host:

* Install a copy of the BO server in the system directory (c:\windows\system) either as " .exe" or a user specified file name.

* Create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices with the file name of the server file name and a description field of either "(Default)" or a user specified description.

* The server will begin listening on UDP port 31337, or a UDP port specified by the installer.


Download the Back Orifice executable from this site now.

Click HERE to demo the Java-based trojan containing Back Orifice - WARNING: this will install Back Orifice on your system using a Java Script! Use extreme caution!!!


1. Start the regedit program (c:\windows\regedit.exe).

2. Access the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. Look for any services that may not have been intentionally installed on the machine. If the length of one of these file is close to 124,928 (give or take 30 bytes) then it is probably BO.

A program called "Toilet Paper" has been released that can remove Back Orifice. We make no claims as to the suitability of this software package.

To learn more about NT Security concerns, subscribe to NTSD

- Originally reported by Microsoft
- Posted on The NT Shop on August 19, 1998

Copyright (C) 1998 - M.E. -- ALL RIGHTS RESERVED
Unauthorized duplication expressly prohibited

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.