RegRun vs Back Orifice 2000
What is Back Orifice?
This is the infamous virus that allows remote operation of any computer on a local network or over the Internet. On the controlled computer, the program "server" is established and typically is started automatically when Windows starts. Then the controlling computer is able to receive complete information (the information on disks, files, passwords, local network etc) about the controlled computer using the Trojan program - client. It is also possible to copy any file, to send a message, to reload the computer, or to start any program. Back Orifice is an excellent program for remote operation. But it is typically used for mercenary purposes and to cause damage.
How it is possible to catch Back Orifice?
Simply start an executable file. The file can be disguised under a useful sounding name. Be careful with starting of files of unknown origin.
Why the traditional ways of protection do not work?
The majority of antiviral programs only check for known viruses. Back Orifice is distributed free-of-charge along with the source code. It is therefore easy to create a new version of the program and the antiviral program will not find it.
RegRun exploits a major weakness of Trojans. The Trojan program should automatically be started together with Windows. Otherwise it is not dangerous!
After the first start, RegRun remembers what programs are started automatically and considers those as safe. We recommend that you review these programs the first time that you use RegRun. After that, any new program that is started will be automatically detected and you will be notified about it.
Example of detection of Back Orifice 2000 on a computer with Windows 98(or Windows 95).
Notice that the unknown program UMGR32. EXE tries to be started through the key
HKLM\Software\Microsoft\Windows\Current Version\Run.
It is the BackOrifice 2000!
How did we determine it?
The program is started from the system folder "c:\windows\system".
In this folder there should be only systems programs.
By pressing the button "Get File Info" you will see no information about the manufacturer, or description of the file. There is a possibility, however, that it is required Windows or that is some other legitimate program.
Therefore, we should not delete it, we shall simply suspend its auto running by turning the traffic light yellow.
The program remains in the list, but will not be started automatically.
Now reload the computer.
If all is good, then suspending the program had no effect, and this program may be a Trojan.
But it is no longer dangerous!
Example of detection the Back Orifice 2000 on a computer with Windows NT.
You see the new service: "Remote Administration Service".
You didn't install this new service
The name "Remote Administration Service" is a default name for Back Orifice 2000.
Remember!
The names of the Trojan programs can seem to be very important; but, that is a dodge!
If the purpose of this service is unknown, then it may be a Back Orifice 2000.
Tip!
If you try to stop "Remote Administration Service" you will receive an error message.
This is a sign! You can easily stop most of the normal services.
The number of running services is not very large. Most are known and you can read about them in the Windows NT help. If you have trouble, contact us http://greatis.com/support and we'll help you.
To suspend running of an unknown service (may be "Trojan" program) you need to click on "Suspend Run" button and choose "Disabled" type of service. After that click on the "Continue" button. Restart your computer to activate changes!
Use RegRun!
See also: RegRun vs "I love you" Trojan.