1. /
  2. Security Response/
  3. BackOrifice2K.Trojan

BackOrifice2K.Trojan - Removal

Risk Level 1: Very Low

Discovered:
July 11, 1999
Updated:
February 13, 2007 11:58:22 AM
Type:
Trojan Horse

Windows 9x Systems with NAV Installed

Note the name of the file NAV detects as the BackOrifice2k.Trojan. Reboot the machine to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the file NAV detected as the BackOrifice2k.Trojan. Remove the floppy disk and restart the system. Edit the Windows registry using REGEDIT.EXE. Go to the following registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

      CurrentVersion\RunServices

Delete the value that contains the name of the file NAV detected as the BackOrifice2k.Trojan.

Windows NT Systems with NAV Installed

Note the name of the file NAV detects as the BackOrifice2k.Trojan. Edit the Windows registry using REGEDIT.EXE. If you have Administrator access, go to the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

      Services

Press CTRL+F and enter the name of the file NAV detected as the BackOrifice2k.Trojan. Delete the entire registry key that contains this value. This will delete the key from all ControlSet registry keys (i.e., ControlSet01, ControlSet02, etc.). Then, restart the system. Once Windows has started, go into the Command Prompt in the Start/Programs... menu, and delete the file NAV detected as the BackOrifice2k.Trojan. Check the registry again to make sure the trojan did not reinstall itself. Follow the instructions below to check if the trojan was installed without Administrator access. For users without Administrator access, go to the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

      CurrentVersion\Run

Check if the name of the file NAV detected as the BackOrifice2k.Trojan appears in this key. If so, delete that value from the registry. Then, restart the system. Once Windows has started, go into the Command Prompt in the Start/Programs... menu, and delete the file NAV detected as the BackOrifice2k.Trojan. Check the registry again to make sure that the trojan did not reinstall itself.

Windows 9x Systems without NAV Installed

If you do not have an antivirus product that detects this trojan, search through the following Windows 9x registry keys for any unusual entries:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

      CurrentVersion\RunServices

The default server file name will start with UMGR32, but it can be any name. The data value will have \WINDOWS\SYSTEM\ followed by the file name in the string. Note the name of the file. Delete this value from the registry. Then, reboot the system to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the file with the same name as the deleted registry value. Remove the floppy disk and restart the system. Check the registry again to make sure the trojan did not reinstall itself.

Windows NT Systems without NAV Installed

If you do not have an antivirus product that detects this trojan, you must search through the registry manually. For users with Administrator access, run REGEDIT.EXE, and look for unusual entries in the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

      Services

The default key is Remote Administration Service nested in the key listed above, but it can have any key name. Note the name of the file listed for ImagePath. Delete the entire key. This will delete the key from all ControlSet registry keys (i.e., ControlSet01, ControlSet02, etc.). Then, restart the system. Once Windows has started, go into the Command Prompt in the Start/Programs... menu, and delete the file listed for ImagePath in the deleted registry key. Restart the system, and check the registry again to make sure the trojan did not reinstall itself. Follow the instructions below to check if the program was installed without Administrator access. For users without Administrator access, run REGEDIT.EXE, and look in the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

      CurrentVersion\Run

Search for any unusual entries that have \WINNT\SYSTEM32\ in the data field. Note the name of the file that follows \WINNT\SYSTEM32\. Delete this registry value. Then, restart the system. Once Windows has started, go into the Command Prompt in the Start/Programs... menu, and delete the file listed in the deleted registry value. Restart the system, and check the registry again to make sure the trojan did not reinstall itself. Contact your administrator to check if the trojan horse program was installed with Administrator access.
Writeup By: Raul Elnitiarta

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver