Back Orifice 2000 Back Orifice 2000 Server name: Back Orifice Version: 2000 Different Version(s): [1.20][2000] Server size: 136K Server files: server.exe Infects: Windows 95, 98, NT Autoloads: Registry: HKEY_LOCAL_USERS\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices\ Key: UMG32.EXE Default port: 54320 TCP or 54321 UDP Can port be changed: Yes and if it is listening on TCP or UDP Programming language: Visual C++ Requried files: none Language: English -Server Features Open source: very configurable Choose between XOR and 3DES encryption Ping Query Reboot Machine Lock up machine Get passwords Get system info Log keystrokes Send message box Http fileserver Recieve file Port redirection Send file Add/List shares on Microsoft networks List connections Map network List/Start/Kill proccess Registry editor Capture still picture Capture AVI Play WAV can also loop it List capture devices Capture screen Compress files Plugin support DNS stuff Shutdown/Restart server Load/Debug/List/Remove plugins Start/List/Stop command socket Start/List/Stop butt plugs View/Kill apps Chat Shutdown/Reboot/Logoff/Poweroff Startumenu on/off Email using victim -Comments The mother of all Trojans is back and better then ever(trojan wise). Now it infects Windows NT unlike version 1.20. To make it more dangerous it is totally open source. Currently this is the most dangerous trojan around. More about it later maybe. -How To Remove manually * Due to the fact it is open source this will only work for the default version we recieved not configured versions Remove the UMG32.EXE key located in the registry at: HKEY_LOCAL_USERS\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices\. Which can be done with regedit or any other registry editing program. Reboot the computer, or close it. Delete the trojan file UMG32.EXE in the Windows System directory.