BackOrifice2 Fixing
30 June 2003 – 5:24 am · diperbarui: 3 Mar 2010This guide will describe how to remove the Back Orifice Backdoor
Version 2 (also referred to as BO) from your system.
Brought to you by #hackfix @EFNet, written by Disturbed and Snowz.
Introduction
Removing Back Orifice is a 3 step process.
- Edit registry so that BO cannot load on start up.
- Reboot to purge BO from memory.
- Delete the program on disk to prevent reinfection.
Windows 95 will not let you delete or modify a program on disk which is running. This is why the first 2 steps are needed, because there is no easy way to force the BO application to quit running.
New in version 2 of the server, which was created by OPC, is the default exe name, registry key, and port are different.
These items are also very easy to edit to hide the server.
Step 1 -=- Edit the Registry
These instructions are for the Default program vaules, most of which remain the same (only the port and/or passwords are changed so only the person whom infected you can hack you.)
To remove it you will need to use a program called RegEdit. You can go to the Run command in your Start menu, and type regedit there to start the program. If you are familiar with regedit, the key to edit is as follows:
HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run\Services
System Tray = "SysTry.ocx"
You are Safe to delete that line. System Tray = "SysTry.ocx"
Delete the file in c:\windows\system called "systry.ocx"
Step by Step:
When you run regedit, it looks alot like Windows Explorer, however this isn’t to work with files on the disk. Regedit has two panels. The panel on the left displays all the keys in your registry. The panel on the right displays the values in those keys.
Looking at the left hand panel, you will see a list of items. One should say "HKEY_LOCAL_MACHINE" with a little box containing a ‘+’.
Click on that +, and it will display more items under it. Then find the item marked "SOFTWARE", and click on the box next to it. Continue this process going down each of these items :
HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run\Services
You will notice there is no ‘+’ box next to the item RunServices. This item, just click on it. This will display the items in that key
on the panel to your Right. The right hand panel, among other things, will list one item that will be similar to:
System Tray = "SysTry.ocx"
This is the line that is loading BO, and must be removed. Be careful not to disturb any other items in this key, all of the items here will be run at start up, and is most likely valid software that Needs to load.
You can right-click on "System Tray" and choose ‘delete’.
Edit/delete this line ONLY… Do NOT edit ANYTHING else in the registry if you are not familiar with it.
Step 2/3 – Reboot n Delete BO
Reboot is self explanatory. But after you reboot, do not run anything except a Windows Explorer. Go into the directory C:\WINDOWS\SYSTEM, and the filename is systry.ocx, DON’T RUN THIS.. This is the actual BO program. If you do run it, it will edit the registry and you must start at step #1.
Delete this file and empty the recycling bin. You should also delete the file c:\windows\windll.dll as well. At this point you are no longer infected. However there is no telling how BO got there in the first place, or who has done what damage since it has been there. Our recommended action would be to backup your hard disks and format them, installing any programs or applications from original disks / setup programs.
References and more information
The home page of the creators of this document can be found at hackfix. Or you can always visit the channel #hackfix on the EFNet irc network, the place where it all began. Working together to make irc a better and safer place for everyone.
