       _________________________________________________________
      /      |   Detecting and Removing Back Orofice  |         \
     /\______|________________________________________|_________/\
 ---<||	            By -(The Mad Scientist)-		        ||>---
     \/	          themadscientist@x-stream.co.uk	        \/
      \_________________________________________________________/
               SWAT MAGAZINE ISSUE NINETEEN: JULY 1999

It's become very clear recently that there are a whole lot of kids 
who've DL'd Back Orofice and don't really know how to use it. It's 
possible that if the server is installed your machine could be a 
target for someone who randomly happens to sweep your IP range. So, 
here's a simple way to check if boserve (the Back Orofice server-side 
component) has somehow become installed on your machine without you 
knowing:

Detecting it
============

Load up a dos prompt while not connected to your ISP.

Enter "netstat -a", the screen will show something like this:

C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  UDP    default:31337          *:*
	<=============>
         the suspicious connection

If you see a connection to port 31337 active then it's a dead giveaway
that you've got boserve installed. Anyway, the mere fact that a 
connection is present while you're not connected to your ISP or 
network server must indicate the presence of something suspicious.

Also other trojans you may encounter:

Port listed     Trojan
========================
5000		Blazer	
80		Exec (a nasty one)
21554		Girlfriend
12345		Netbus

Removing it
===========

If it's called " .exe" (space dot exe) which it is very likely to be 
as most people don't bother to change the installation settings for 
boserve then you can remove it by restarting your computer in MS-DOS 
mode, going to the WINDOWS\SYSTEM directory and typing "del exe~1" or 
"del exe~2". To verify that is has been removed, repeat the procedure 
above, restart your computer in normal mode, run netstat and no 
connections should be listed.

After this it should be removed. To remove other trojans simply check 
the "windows\system\" directory for suspicious exe fles, or check out 
the trojan listing in last month's SWATmag, to find out what the server
files usually install as.

Maybe a good idea for you programmers out there (I may write something
like this if I can be bothered :-) is to set up a program that listens 
on port 31337 for any attempted connections, then can record the IP 
address of the lamer so you can trace them and apply your own twisted 
form of personal justice.

Until Next Month:

Keep Hacking!

				/=====================\
				[-(The Mad Scientist)-]
				\=====================/