TROJANS

Trojan horses bake Orifice and NetBus.

Bake Orifice: The American group of hackers of Cult OF The DEAD Cow (HTTP: www. cultdeadcow. com) a program with the name published "bakes Orifice", which calls it "remote maintenance tool for networks". The fact that the intention is another results already from the name: Bake Orifice (rear opening) translates one here best with "back door", because the program makes it nearly the children's game to drive Schindluder with Windows PCS. Funny the allusion on MicroSoft's "bake Office" system.

Only 124 KByte the large "server module" can to any Windows EXE program be coupled, in order to put underneath it nothing-suspecting users. If the file under Windows 95 or 98 is implemented, the server latches itself quasi invisibly in the system. Of this moment on the Trojan horse waits only for over UDP minutes to be waked.

With the Client leave yourself comfortably on strike computers to access. Among other things one can manipulate the file system (files to down-load, magnify the importance of etc.. tasks terminate, uvm. The function mode bake Orifice is already from other hacker Tools well-known; the convenient operation of the graphic "maintenance component" is new primarily -- few inputs and Mausklicks are sufficient to manipulate in order to terminate processes to log keyboard entries the Windows Registry or reroute IP addresses.

One finds an interesting practice report under the German address check this out.

or

this one also

In order to examine your system on an existing bake Office, there are programs such as BoDetect, (hitp: www. spiritone. coni/ cbenson/current_projects/backorificefbaekorifice. htm) or the program Borf D (HTTP: www. st-Andrew. AC. uk/ sjs/boredfbored. HTML) It is manually very simple in addition, bakes Orifice to remove: Open the Registry (regedit.exe implement) and look under the key

HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

after an entry with the name ". exe "(default file name) and/or. with an entry long 124.928 (+/- 30 bytes). Delete this entry; it causes that "bake Orifice" servers. with each Windows start one activates automatically.

The program lies generally in the listing "\Windows\System" and is recognizable from the fact that it does not have a program Icon and a size of 122 KByte (or slightly more) possesses. If you should not find the file for any reasons, it can help you that different information is to be found as ASCII stringer in the Prgramrn code; like that the character string is contained "bofilernappingcon" with large probability, which you will find over search in the Explorer.

Additionally to "bake Orifice Prgramm Datel" becomes in the same listing still the "WINE)LL. DLL "to the rnitloggen of keyboard entries installs, which delete you also meaningful way, which can cause however alone no damage.

The problem with bake Orifice is that it is difficult to explore the IP address of the host since this changes when each a selecting the stricken computer. This problem solved, and a still more powerful solution created Carl Fredrik Neikter with its program "Netssus", which is quite similar. It offers still larger functions and is simpler to install.



NetBus:

After you hemngergeladen yourselves the appropriate file have, you should unpack these. Now you receive to three files: NETBUS. EXE, NETBUS. Rtf and PATCH. EXE

With PATCH. EXE concerns it the dangerous lnfizierungsprogramrn, the actual Trojan horse. Do not start this file thus! D IE file NETBUS. Rtf contains a short English guidance the Authors. The file NETBUS. EXE is the "Client" with that you infected servers to access can. These can start you without concerns. Start for testing the server on your own computer, by opening a DOS request for input and starting in the listing of NetBus the server with the parameter, Jnoadd ", thus PATCH. EXE/noadd [ RETURN ]

Now the server runs. Now you can start the Client (NETBUS.EXE doppelelicken) access and your own computer '. Select in addition as address "local host" or "127. 0.0. 1 "if you the server terminate wohlen, select you irn Client"Server Admin" and then "CLOSE server".

In addition the infecting program can be changed in such a way the fact that it sends automatically the IP address to one of them selected to email address as soon as with one of NetBus infected someone computers into the InterNet goes. This is the enormous advantage against-practices r bakes Orifice. In addition one selects the Button "server Setup" in the NetBus Client and enters the appropriate information. Difficult it is only to find a free Mail server the Mails of each IP address accepts. Then one selects "Patch Srvr" and selects the too patchende Infiziemngsdatei (standard massive "patch. exe").

Who tries to infect another computer the file PATCH can. EXE now simply by email to another more lnternetnutzer send and the file "Windows updates" or than any mad merry Anirnation call. The file can be renamed to it at will (z.b. Win98update. exe or siedler2_patch. exe etc.. ). If the file is now started, optically nothing happens. However the NeiBus server installed itself already on the computer hidden and from now on automatisc ' was started each time, if the computer is gebootet.

If one made above changes to lnfizierungsprogramm, one gets now always automatically email with the IP address of the infected computer, as soon as this on-line goes into the InterNet. This You can enter IP address now in the Netssus Client and manipulate the computer.

Hackers use for safety's sake anonymous email addresses, it for example with holmail. com or maii. com gives.

In order to protect your system, Norton is recommended anti-virus HTTPwhich beside NetBus bake Orifice recognizes. They can work also again manually. That automatic NetBus start is registered in the Registry under

"HKEY LOCAL MACHINESOFTWARF, \Microsoft\Windows\CurrentVersion\Run"

and should be removed. However the file name can vary (patch.exe, sysedit. exe or explore. exe are some well-known names)