Korean

<< Back VID 24007 Severity 40 Port ¡¦ Protocol TCP Class BackDoor Detailed Description Back Orifice 2000 appears to be installed. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. Similar to the original BackOrifice, it consists of two pieces: a server and a client application. However, now both applications are capable of running under Windows NT. In the same package there comes also a configuration utility that is used to configure the server part of BO2K. The configuration utility has a wizard that helps to quickly configure the server part and asks the user to specify networking type (TCP or UDP), port number (1-65535), connection encryption type - simple (XOR) or strong (3DES) and the password for the server access. * References: http://www.iss.net/security_center/static/2343.php http://www.norton.com/avcenter/venc/data/back.orifice.2000.trojan.html http://www.nsclean.com/psc-bo2k.html Recommendation The Back Orifice 2000 backdoor can be very difficult to remove manually, because it is highly configurable, making it difficult to identify on your system. By default, the Back Orifice 2000 backdoor will install itself in the Windows system directory as the file UMGR32.EXE. On Windows NT, it will install a service listed as "Remote Administration Service." However, this default name can be changed. Refer to the below sites for using an antivirus program to remove the backdoor. - Norton AntiVirus: http://www.symantec.com/nav/indexA.html - McAfee VirusScan: http://software.mcafee.com/centers/download/ - Trend Micro PC-Cillin: http://www.trend.com/pc-cillin/ - Privacy Software BOClean 4.02: http://www.nsclean.com/boclean.html Related URL (CVE) Related URL (SecurityFocus) Related URL (ISS)