More Info How To Find
Back Orifice On Your Computer
Regedit
BO v1.2 always makes an entry in the Windows Registry,
always in the same place. This entry can usually be quickly identified. It is in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Multiple copies of BO with varying filenames/configs can
run simultaneously on the same machine and each will write its own entry to this key. In
the majority of cases, this key points directly to the BO server program.
REGEDIT provides the means to read and/or delete BO's
Registry entry. If that entry is the means by which BO is invoked at startup -- it
normally will be -- its removal, followed by a reboot, will disable BO.
This approach easily locates BO in its default
configuration and also works to detect, and to pinpoint, a large proportion of
custom-configured Orifices. Because it is so easy, it is the first approach I recommend,
especially to inexperienced users.
REGEDIT isn't rendered useless by trickier BOs. Normally,
BO deletes itself when initially run and places itself in the Windows\System folder.
However, as I pointed out above, if it's cleverly configured, BO can be made to remain
where it is and may place only its DLL in the System folder. Its Registry entry
can be a direct clue to this trickery because it's the filename config that
determines this behavior -- and the filename config is
the Registry value. At this writing, I'm in process of working out just how and why it
behaves this way. Watch for more.
A key fact about BO (v1.2) is that it must
write something to this Registry key; which is the means by which it is
re-run at each startup. If you suspect a cleverly-hidden BO, removing all entries from
this key (you should always save the data for later re-entry in case it proves valid),
restarting Windows and inspecting again using REGEDIT will reveal its activity. If an
entry has reappeared, it's BO at work and you know which entry it's making; and
this tells you BO is being executed by some other means. See above for what these
might be.
Explorer/File Find
These standard Win95 desktop tools can, used well, hunt
down BO on your system *very* effectively.
As a first step and a very telling one, look for a file
named WINDLL.DLL in the Windows\System directory. BO v1.2 places that file there
invariably every time it runs. Delete it. If another copy appears on restart, you've got
BO.
If using REGEDIT hasn't led you straight to your Orifice,
Explorer/File Find provides a strategy.
BO v1.2 will be a minimum of 124,928 bytes in length (122K
in the Explorer window). Maximum can be much longer. One person sent me a BO server that
was 193,143 bytes in length. BO isn't going to be a 1-meg monster, but exactly how big it
can get is uncertain. I'd consider the range of 122K to 250K within reason.
Using File Find to locate all files on all drives at least
122K in size, then sorting them by date to find the more recent, should yield a relatively
short list of likely suspects. This works especially well if you have MSInfo (see below)
and compare this list to MSInfo's Running Applications.
MSInfo
Microsoft packages MSInfo32 with its Office suite and, I
believe, with some of its other applications. If you have it, MSInfo can often point an
accusing finger straight at your Orifice.
If you think you may have MSInfo32, first simply try
selecting Start... Run... and typing in its name, MSINFO32. If that fails, use Find...
Files or Folders... to search for it by name.
If you find MSInfo and start it, simply click on Running
Applications and you will see a full list with paths and filenames.
Using MSInfo's ability to view all running applications,
you have a starting point to systematically track down each app if necessary and determine
whether it is an Orifice.
In particular, because MSInfo displays the full path, a BO
that's been located somewhere obscure may be easily unveiled. Burying BO in a
sub-sub-directory of drive E: makes it stand out prominently in the MSInfo listing.
Practically everything else will be on C: and/or will be easily recognized as a valid
program.
|
