Back Orifice DLL

Back Orifice DLL
Server name: Back Ofrice DLL
Version: 1.20
Different versions: NA
Server size: 125K
Server files: cfgwin32.dll
Server icon:

Infects: Windows 95/98/ME
Autoloads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices Key: cfgwin32
Default port: 1349 UDP
Can port be changed: Yes

Server Features

Capture screen shot
Capture video/audio
Create a directory
Create/delete export
Compress/decompress file
Disable/Enable http server
Get cached passwords
Log keystrokes
Misc. file options
Plugins
Registry editing
Spawn a text based application on a tcp port
View contents of file
View/Kill plugins
View/Kill processes

Comments
Back Orifice DLL is just Back Orifice in a DLL form. In order to autoload cfgwin32.reg must be ran to create the registry key.

How To Remove
Quick fix: no quick fix programs
Manual removal:

Delete the registry key named cfgwin32 located at KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\. This can be done using regedit or another registry editing program.
Reboot the computer or close the trojan.
Delete the trojan file cfgwin32.dll in the windows system directory.

Related
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page

Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved.
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal.
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.