Back Orifice 2000 allows complete remote administrative control (BackOrifice2K_UDP_Response)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server, RealSecure Desktop Protector, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Guard, RealSecure Sentry, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology:

This signature detects UDP packets that match specific BackOrifice2000 command response sizes and specific BackOrifice2000 argument lengths as represented by the packet data, and where particular data bytes match BackOrifice2000 response structures.

This signature replaces BackOrifice2000.

Default risk level

High risk vulnerability High

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, BlackICE PC Protection: 3.6.cbd, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, Proventia Network MFS: 1.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98

Type

Unauthorized Access Attempt

Vulnerability description

Back Orifice 2000 is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. Back Orifice 2000 allows remote operation of infected Windows 95/98 and Windows NT computers. With the Back Orifice 2000 backdoor, an attacker can do the following:

gather information about your network
perform system commands
reconfigure computers on your network
redirect network traffic

How to remove this vulnerability

The Back Orifice 2000 backdoor can be very difficult to remove manually, because it is highly configurable, making it difficult to identify on your system. By default, the Back Orifice 2000 backdoor will install itself in the Windows system directory as the file UMGR32.EXE. On Windows NT, it will install a service listed as "Remote Administration Service." However, this default name can be changed. Refer to the steps below for using an antivirus program to remove the backdoor.

To use an antivirus program to remove the Back Orifice 2000 backdoor:

If you do not have an antivirus program installed, download and install one of these virus scanners:
- Norton AntiVirus: http://www.symantec.com/nav/indexA.html
- McAfee VirusScan: http://software.mcafee.com/centers/download/
- Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/products/
Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the Back Orifice 2000 backdoor from your computer.

References

Microsoft Security Bulletin
What Customers Should Know About 'BackOrifice 2000'
http://www.microsoft.com/security/bulletins/bo2k.asp

Cult of the Dead Cow (cDc) Web site
Back Orifice 2000
http://bo2k.sourceforge.net/

Internet Security Systems Security Alert #31
Back Orifice 2000
http://www.iss.net/xforce/alerts/id/advise31

Trend Micro Security Alert
Back Orifice 2000
http://www.antivirus.com/vinfo/security/sa071299.htm

Symantec AntiVirus Research Center
BackOrifice2K.Trojan
http://www.norton.com/avcenter/venc/data/back.orifice.2000.trojan.html

ISS X-Force
Back Orifice 2000 allows complete remote administrative control
http://www.iss.net/security_center/static/2343.php

CVE
CVE-1999-0660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0660