Backdoor.Win32.BO.a

Backdoor.Win32.BO.a


Aliases
Backdoor.Win32.BO.a (Kaspersky Lab) is also known as: Backdoor.BO.a (Kaspersky Lab), Orifice.svr (McAfee),   W32.HLLP.Clay.dr (Symantec),   BackDoor.BOrifice (Doctor Web),   Troj/Orifice-A (Sophos),   Backdoor:Win32/BOClay (RAV),   BKDR_BO.58880 (Trend Micro),   Boserve-01 (H+BEDV),   W32/Back_Orifice.124928 (FRISK),   Win32:Trojan-gen. (ALWIL),   BackDoor.BackOrifice (Grisoft),   Backdoor.BackOrifice.A (SOFTWIN),   Trojan.Bo (ClamAV),   Trj/BOr (Panda),   Back_Orifice.Dropper (Eset)
Description added Feb 20 2002
Behavior Backdoor
Technical details
This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui application. On a local line or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has," reads the advertising banner on a distribution Web-site.
The only feature classifying this utility as malicious Trojan software is the silent installation and execution. When this program is run, it installs itself into the system and then monitors it without any requests or messages. If you already have it installed on your computer, you cannot find this application in the task list. The Trojan also does not indicate its activity in any way.
The Trojan is distributed in a package of several programs and documentations. All programs in a package were written in C++ and compiled by Microsoft Visual C++ compiler. The date stamp on the EXE files that we have displays that all files in the package were compiled from the end of July through the first week of August 1998. All the programs in the package have Portable Executable formats and can be run under Win32 only.
The main executable in a package is the BOSERVE.EXE file that might be found with different names on an infected computer. This is the Trojan itself. It is the "server" part of the Trojan that might be summoned by clients from a remote computer.
The second file is the BOCONFIG.EXE utility that can configure the server as well as attach it to other executable files in the same style as viruses do. While attaching (infecting), the host file is moved down and the Trojan code is placed at the top of file. When "infected" files are run, the Trojan extracts the original file image and spawns it without any side effects.
There are two "client" parts of the Trojan (console and window), and they operate with the "server" from a remote computer. Two other executable files in a package are used by the Trojan while compressing/decompressing files on the "server".
When the Trojan is executed on the computer, it first of all detects its status: is it the original Trojan code or attached to some host file, i.e., modified by the BOCONFIG.EXE utility. In this case, the Trojan locates the customized options in the host file and reads them.
The Trojan then initializes the Windows sockets, creates the WINDLL.DLL file in the Windows system directory (this file is stored as a resource in the Trojan), then obtains several KERNEL32.DLL APIs addresses for future needs, searches for a Trojan process already run and terminates it (upgrades the Trojan process), copies itself to the Windows system directory and registers this copy in the system registry as the auto-run service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Creates a TCP/IP datagram socket, assigns a port number 31337 (by default) to this socket and opens this port for listening. The Trojan then runs standard Windows DispatchMessage loop, i.e., stays in Windows memory as a process with a hidden attribute (it has no active window and is not visible in task manager).
The main Trojan routine then listens for commands from the remote client. The commands travel in encrypted form and start with the "*!*QWTY?" (without " characters) ID-string.
Depending on the command, the Trojan is able to perform a set of actions:
  • obtain and send computer name, user name and system info: processor type, memory size, Windows OS version, installed drives and free space on them;
  • share selected drives;
  • list disk contents or search for a specific file;
  • send/receive files (read and write them), as well as delete, copy, rename and run them (including updating itself);
  • create/delete directories;
  • compress/decompress files;
  • log off current user;
  • halt the computer;
  • enumerate and send active processes;
  • enumerate and connect to network resources;
  • terminate selected process;
  • obtain and send cashed passwords (passwords that were used during current session), then look for the ScreenSaver password (decrypt and send them);
  • display message boxes;
  • access the system registry;
  • open and redirect other TCP/IP sockets;
  • support HTTP protocols and emulate the Web-server, so one may access the Trojan by Web browser;
  • play sound files;
  • hook, store and send keyboard input while the user is logging in (see below).
While installing into the system, the Trojan creates the WINDLL.DLL file (it keeps this file image in its resources). In case of need, the Trojan loads this DLL into the memory and initializes it, the DLL then hooks the keyboard and console (device console) input and stores the hooked data to the BOFILEMAPPINGKEY and BOFILEMAPPINGCON files that are then available for the main Trojan routine.
The Trojan can also expand its abilities by using plug-ins. They can be sent to the "server" and installed as the Trojan's plug-in. The features and main functions (including possible malicious ones) are at its author's discretion.