Back Orifice, a Windows Remote Administration Tool, was released in 1998. This tool allows a user to remotely control a computer across a TCP/IP connection using a simple console or GUI application. To name a few, these control includes file system, process, network and multimedia controls. To the makers, BO ( Back Orifice ) still has its flaws. One of which is that it is not capable of running on NT machines.

On July 10, 1999, in the recently concluded DEFCON 7.0 (an annual convention for hackers), the BACK ORIFICE 2000 was released. Aside from the remote control capabilities in Back Orifice, the creators added some notable features:
- Windows NT support
- An open plug-in architecture to allow 3rd party add-ons
- Strong cryptography to ensure secure network administration (XOR/3DES)
- Open source, available under the GNU Public License
- TCP/IP or UDP port usage Details:
This hacker tool has developed into a full-blown Remote Administration Tool with almost complete control of your system. Because the full source code has been released to the public it is highly possible that different variants based on this Trojan will surface in the near future.
By default, the Server/Dropper portion of BO2K will edit the Windows registry by adding the "UMGR32.EXE" key in the following path:
For Windows 95/98 -
\\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\WINDOWS\CURRENT VERSION\RUNSERVICES
For Windows NT -
\\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\WINDOWS\CURRENT VERSION\RUN
BO2K is equipped with stealth capabilities and will not show up in your Windows Task Manager if configured to do so. The default setting will show that the UMGR32 task is running as a Remote Administration Service.
Note: Because the Server portion can be custom configured before being sent, it is possible that the key value assigned may be changed to something else depending on the file that will be dropped!

To clean BO2K from the infected system, you must use a Windows Registry Editor such as REGEDIT.
1. Take note of all the detected files
2. Search for the keys containing any of the detected files on your list.
By default this would be the "UMGR32.EXE" key and is located at -
When running Windows 95/98 -
\\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\WINDOWS\CURRENT
VERSION\RUNSERVICES\UMGR32.EXE
When running Windows NT -
\\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT
\WINDOWS\CURRENT VERSION\RUN\UMGR32.EXE
3. Delete the key entries in the registry
4. Shutdown to DOS and manually delete the listed files (by default UMGR32~1.EXE) in the \WINDOWS\SYSTEM directory and reboot your
system afterwards
5. For Windows NT you must reboot first to remove the process in memory and then delete the UMGR32.EXE file from the \WINNT\SYSTEM32
6. Scan your system once more to make sure you have removed all BO2K variants installed on your system. If ever you will have to return to Step 1

[MANUAL DETECTION]
Note: This is only true if the BO2K Trojan was sent to you using the default configuration!
1. Look in your \WINDOWS\SYSTEM (for Windows 95/98) or \WINNT\SYSTEM32 (for Windows NT) directory for an existing file called UMGR32.EXE
2. Alternatively you can also look at the Windows Task Manager for the UMGR32 service process
3. Follow the steps outlined in [REPAIR]
Note: This report will be updated when new information and developments of this new threat arises.