which allows the client software to monitor,
administer, and perform other network and
multimedia actions on the machine running the
server. To communicate with the server, either the
text based or gui client can be run on any
Microsoft Windows machine.
To install, the server the server simply
needs to be executed. When the server executable
is run, it installs itself and then deletes
itself. This is useful for network enviroments
where the server can be installed on a machine
simply by copying the server executable into the
Startup directory, where it will be installed,
then removed. Once the server is installed on a
machine, it will be started every time the machine
boots. To upgrade a running copy of Back Orifice
remotely, simply upload the new version of the
server to the remote host, and use the Process
spawn command to execute it. When run, the server
will automatically kill any programs running as
the file it intends to install itself as, install
itself over the old version, run itself from its
installed position, and delete the updated exe you
just ran. Before installation, several aspects of
the server can be configured. The filename that
Back Orifice installs itself as, the port the
server listens on, and the password used for
encryption can all be configured using the
boconf.exe utility. If the server is not
configured, it defaults to listening on port
31337, using no password for encryption (packets
are still encrypted), and installing itself as "
.exe" (space dot exe). The client communicates to the server via
encrypted UDP packets. For successful
communication, the client needs to send to the
same port the server is listening on, and the
client password must match the encryption password
server was configured with. The port the client
sends its packets from can be set using the -p
option with both the gui and text clients. If
packets are being filtered or a firewall is in
place, it may be necessary to send from a specific
port that will not be filtered or blocked. Since
UDP communication is connectionless, the packets
might be blocked either on their way to the server
or the return packets might be blocked on their
way back to the client. Actions are performed on the server by
sending commands from the client to a specific ip
address. If the server machine is not on a static
address, it can be located by using the sweep or
sweeplist commands from the text client, or from
the gui client using the "Ping..." dialog or by
putting a target ip of "1.2.3.*". If sweeping a
list of subnets, when a server machine responds
the client will look in the same directory as
subnet list and will display the first line of the
first file it finds with the filename of the
subnet. The commands currently implemented in Back
Orifice are listed below. Some of the command
names differ between the gui and text clients, but
the syntax is the same for almost all commands.
More information for any of the commands can be
displayed in the text client by typing 'help
command'. The gui sets the label of the two
paramater fields to a description of the arguments
each command accepts when that command is selected
from the 'Command' list. If a piece of required
information was not supplied with the command, the
error 'Missing data' will be returned by the
server.
The functions of this trojan are:
Spawn a text based application on a tcp
port.
Stops an application from listening for
connections.
Lists the applications currently listening
for connections.
Creates a directory. Lists files and
directory. You must specify a wildcard if you
want more than one file to be listed. Removes a
directory.
Creates an export on the server. Deletes an
export.
Lists current shared resourses (name, drive,
access, password).
Copys a file.
Deletes a file.
Searches a directory tree for files that
match a wildcard specification.
Compresses a file. Decompresses a file.
Views the contents of a text file.
Disables the http server. Enables the http
server.
Logs keystrokes on the server machine to a
text file. Ends keyboard logging. To end
keyboard logging from the text client, use
'keylog stop'.
Captures video and audio (if available) from
a video input device to an avi file.
Captures a frame of video from a video input
device to a bitmap file.
Captures an image of the server machine's
screen to a bitmap file.
Lists video input devices.
Plays a wav file on the server machine.
Lists current incomming and outgoing network
connections.
Disconnects the server machine from a
network resource. Connects the server machine to
a network resource.
Views all network interfaces, domains,
servers, and exports visable from the server
machine.
Pings the host machine.
Returns the machine name and the BO version
number.
Executes a Back Orifice plugin. Tells a
specific plugin to shut down. Lists active
plugins or the return value of a plugin that has
exited.
Terminates a process. Lists running
processes. Runs a program. Otherwise it will be
executed hidden or detached.
Redirects incomming tcp connections or udp
packets to another ip address. Stops a port
redirection.
Lists active port redirections.
Creates a key in the registry. Deletes a key
from the registry. Deletes a value from the
registy. Lists the sub keys of a registry key.
Lists the values of a registry key. Sets a value
for a registry key.
Resolves the ip address of a machine name
relative to the server machine.
Creates a dialog box on the server machine
with the supplied text and an 'ok' button.
Displays system information for the server
machine.
Locks up the server machine.
Displays cached passwords for the current
user and the screen saver password.
Shuts down the server machine and reboots
it.
Connects the server machine and saves any
data recieved from that connection to the
specified file. Connects the server machine and
sends the contents of the specified file, then
disconnects.
