Trojan Horses: Back Orifice, Netbus and others
[last updated: Thursday, December 24, 1998]
*** IMPORTANT NEWS! NEW -VERY DANGEROUS- VIRUS: REMOTE EXPLORER ***
CLICK HERE FOR MORE INFO ABOUT REMOTE EXPLORER
A new virus/trojan horse has been discovered: Remote Explorer! DIGIFRIENDS has opened a special page
on this new, most intelligent virus ever found, with information about how to detect it, which fixes/detection
applications are available and much more info. We highly recommend you visit the special page, and at this
moment recommend you to revisit it every hour as we are placing more and more info online as soon as we receive it.
If you have any comments, suggestions or solutions having to do with this
New threats on the Internet. Well, not really new, but recently two new Trojan Horses were discovered. The first one is called
Back Orifice... the second one NetBus. Besides talking about what you can do against these two "viruses" (I'm
not sure if virus is the correct word for BO or Netbus, but to keep this page easy to read I'll use that word) the
question remains what other unknown viruses or Trojan Horses might be running on your system without you knowing?
Should you panic? Personally, I don't think so. I have been on the Internet quite some time now and there are some things
you should just keep in mind and be careful. My motto is "better safe than sorry" so what I don't do is, for
example, accept files from people on IRC. The first thing I do when I try some sort of new Internet application is
to turn off all auto-accept options. I want to keep in control. I do not open email attachments I do not trust. Just
to be sure I scan the email attachments I do trust first, before opening it.
These are just a few things I do as a precaution. Who can you trust? That's hard to answer, maybe it doesn't even
have to do with trust. Somebody you know might have a virus on his/hers system without him/her knowing it. When
he or she uploads something to you, you might have it too. Another good example: I needed information about
a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the
hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it
contained a macro virus. I discovered it on time, because I'm careful. That's probably the most important
thing you can do against viruses.
What do they do?
Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door"
is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other
people, who can then do virtually anything on your system, including deleting files. The difference between
Back Orifice and Netbus is that Netbus infects Windows NT as well as 95 and 98. Back Orifice is said to be only
capable of infecting Windows 95/98. As said before, once a system is infected, the one accessing your PC can do
virtually anything, possibly even turning on your microphone and listen to what you are doing!
How do people find an infected PC on the Internet?
Some versions of the trojan horse report the IP address of a PC, once connected to the Internet, on an IRC channel.
Other methods used are port scanners, which scan a range of IP addresses/ports to find a PC which has "the
backdoor open". Not all versions of the trojan horses are accessible by anybody with a client, some are even
"customized" with password protection, which means that if a system is infected, it can only be accessed by
the person who has the password.
How to find out if you are infected with BO or NetBus
I heard and read about a few methods on how you can possibly find out if you are "infected" by
Back Orifice or Netbus. If you run these tests and don't find anything suspicious, this doesn't
mean you are not infected. The following methods are just a few suggestions you can try, and do
not guarantee anything. You should try the following methods at your own risk.
What I recommend most is to search for information on the two Trojan Horses on the site of a well known
anti-virus brand like McAfee.
For detection of Netbus, McAfee has the following information pages:
Another anti-virus software company, Data Fellows, has
information about Back Orifice.
Netbus might be found with telnet. Open a dos box and type:
telnet 127.0.0.1 12345
telnet 127.0.0.1 12346
Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system
is infected with Netbus.
For both Back Orifice and Netbus there is another possible way to find if you are infected with one of
them. Close all your applications, especially those
who point to network-shares. Open a DOS box and run the following command:
Back Orifice possibly replies with:
UDP 0.0.0.0:31337 *:*
NetBus possibly replies with:
TCP 0.0.0.0:12345 *:*
TCP 0.0.0.0:12346 *:*
Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious.
You can try looking in your system registry with regedit (recommended for advanced users only!) and take a
This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or
a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.
"Finding Your Back Orifice" is a site which
shows screenshots of an infected system registry and a clean system registry.
If weird things start happening on your system, for example: missing files/directories, suddenly opening
and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.
Back Orifice: Another method of finding out if your system is infected by BO is to search your WINDOWS/SYSTEM directory for the
file windll.dll. If it's there you are possibly infected.
I found one! What now?
Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the
trojan horses itself. For that reason you have to be very careful which removal application you are going
What I recommend most, again, is to use a well-known brand virus scanner which can detect and remove viruses
like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure!
Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan
has downloadable ".DAT" files which are renewed every month. PC Help
is a site which also shows some methods how to remove Back Orifice from your system.
Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure
to read the complete instructions of the application before you use it).
More applications and tools for detecting and/or destroying Trojan Horses can be found in the DIGIFRIENDS.COM
freeware & shareware area: Security: Anti-Virus Software, Security: Miscellaneous and for those of you
who are looking for protection against winnukes visit Security: Anti Winnuke.
Some providers have special email addresses at which you can report trojan horse "attacks". If you found out that
your system is infected with Back Orifice or Netbus, and you know how it got infected, it might be wise to contact
your provider if they have a special email address to do so and explain the situation to them. This might help
avoiding other people to get infected too.
Other sites/pages for more information about Back Orifice and Netbus:
subject, join the discussion on the software message board!