Best Practices

BACKDOOR PROGRAM REMEDIES

“Backdoor” and trojan horse (hidden/masked) programs are used by attackers to access your computer system without your knowledge or consent. Some are introduced through e-mail messages, and some are hidden within files, programs or games that are downloaded from the Internet.  With a backdoor program installed, the attacker gains complete control over your system.  They can shut down or restart your computer, retrieve your cached/saved passwords, and can upload, download, and change or delete files and programs on your system.  They can launch attacks on other computer systems, install programs, or trash data and files.  Backdoor programs should be removed as soon as possible after detection.    

Subseven Backdoor Program:

Use an anti-virus program to remove the Subseven Backdoor. 

  1. Download and install the Symantec Anti-Virus software available at http://helpdesk.its.uiowa.edu/virus/

  2. Install the latest virus pattern update, using the "LiveUpdate" function in the program.

  3. Run the antivirus program to scan your system for this backdoor.  It will find and remove it from your system.

Back Orifice Backdoor Program:

WARNING: Use the registry editor with extreme caution.  You may wish to consult with the ITS Help Desk (4-HELP) for assistance with the removal of this backdoor program from your system.    

  1. Using the Registry editor, find the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices registry key.

  2. Find and delete the registry entry named (Default) that has a data value of .exe

  3. Restart the computer.  IMPORTANT: Do not delete the file below until your computer has been restarted!  

  4. Delete the file exe~1 from C:\Windows\System

NetBus Trojan Horse Program:

WARNING: Use the registry editor with extreme caution.  You may wish to consult with the ITS Help Desk (4-HELP) for assistance with the removal of this backdoor program from your system.   Detailed removal instructions for all versions of NetBus can be found at http://www.hackfix.org/netbusfix/ 

  1. Using the Registry editor, find the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key

  2. Find, note the program name, and delete all values with the /nomsg option.  The value may vary, but will always have /nomsg.  (If you can’t find this value, see below for further instructions on removing Netbus 1.6 or later.)

  3. Restart the computer. IMPORTANT: Do not delete the files below until your computer has been restarted!  

  4. Delete the programs that you noted in step 2, using the find files utility on your system.  (eg, SysEdit.exe KeyHook.dll patch.exe)

  5. Empty your recycle bin.

For NetBus 1.6 or later:

  1. From a DOS command prompt, type:  telnet <your computer name> 12345  If NetBus 1.6 or NetBus 1.7 appears with a value after it, a password has been set.  (Otherwise no password has been set, so skip step 2.)

  2. If a password has been set, type: Password;1  where 1 is the value noted in the NetBus banner.  (The command will not display.)

  3. Type: RemoveServer;1  (The command will not display.)

Back Oriface 2000 Backdoor Program:

WARNING: Use the registry editor with extreme caution.  You may wish to consult with the ITS Help Desk (4-HELP) for assistance with the removal of this backdoor program from your system.    

  1. Using the Registry Editor, find the HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services" key

  2. Look for a key called "Remote Administration Service" (not to be confused with RemoteAccess service) and open the key if it exists.

  3. Find and delete a value called "ImagePath".  Check to see if the name of the executable is "UMGR32.exe".

  4. Restart the computer. .  IMPORTANT: Do not delete the file below until your computer has been restarted!  

  5. Delete the file "umgr32.exe" located in your Windows system directory (probably c:\windows\system32).

Copyright © 2005 The University of Iowa. All rights reserved.