BoDetect is easy to use.á Simply unzip the zip file into a temporary directory and run 'setup.exe'. The very first time you run BoDetect, it will open the main dialog to allow you to set the options you want:
- Autoscan: If this box is checked, then BoDetect will scan your system automatically when it is first run.
- Silent Mode: Selecting this option will let BoDetect run silently, only alerting you if Back Orifice is
found on your system, or in the event of an error.
- Monitor System: This option will enable BoDetect to run in the background and scan your system at user-defined
intervals (which you select from the list, in increments of one minute). If silent mode is
also enabled, BoDetect runs silently in the background until an infection is discovered.
- Generate Log: This option lets you turn scan logging on or off.
After you set the options for the first time, a BoDetect icon will sit in your system tray. Right clicking on this icon will bring up a menu. From this menu you can do the following:
- Open: This will bring up the main BoDetect dialog (Double clicking the tray icon does the same).
- Exit: Closes BoDetect.
The main BoDetect dialog also has a button labeled 'Detect'.á Click it and if either Back Orifice or Netbus is detected, you get detailed information on how many instances were found, and the names of the executables and registry keys they were installed as.
Then, just click on 'Remove' and BoDetect will remove the trojans from your system instantly.á The infected files will be renamed to a safe name so they cannot be accidentally executed. The scheme BoDetect uses to rename files is like this:
If the infected file is called 'keyboard.drv'
BoDetect renames it to 'keyboard.drv.BOD'
If the infected file is installed as the default of ' .exe', then BoDetect will
rename it BACKORIFICE.BOD for easier distinction.
The renamed file(s) will be moved to a directory called 'Infected Files' that will be created in the same directory as BoDetect.á You can delete them or do whatever you want to with them! BoDetect also creates a log file (BoDetect.log) that details the registry keys that were removed and the program files that were renamed.á
Uninstallation:
Open Control Panel, select 'Add/Remove Programs' and select BoDetect for uninstallation.
Upgrades, bug fixes and additions:
v2.5(beta) Added support for Netbus 1.5x, 1.6, and 1.7 detection and removal. Revised the
user interface to be easier to use. Added several options to the 'Options' panel,
including the ability to easily clear and/or view the log file. Upgraded the
scanning engine to be faster and more memory efficient. Upgraded the installation
package to use InstallShield for more automated and easier installations.
v2.01 - Modified the installation procedure BoDetect uses to register the scan engine to
improve reliability on certain systems. Fixed bug that could prevent options
from being saved properly.
v2.0 - Removed the installation package I was using. Too many people reported problems
using it. Added 'AutoScan' so that BoDetect can automatically scan your system
on startup without user interaction, if desired. Added ability to enable/disable
event logging. Added 'silent' mode for easier use in automated environments (login
scripts etc...). Added 'timed scanning' feature so that BoDetect can monitor
your system without user intervention. Updated the user interface slightly.
Fixed bug in scanning engine that could affect file renaming under certain
circumstances.
v1.5 - Added an installation program for easy setup and removal of BoDetect. User
Interface has been reworked a little. Fixed a bug that sometimes incorrectly
identified the %windows% path. Scanning engine upgraded. Now detects and
removes certain leftover BO files and registry keys that can be created from
certain configurations of Back Orifice. Also now removes the 'windll.dll'
file that BO creates when it is run.
v1.0.2 - Modified the scanning engine for better detection. The generated log file has been
cleaned up and should be easier to readInfected files now moved to 'Infected Files'
directory rather than being left in win/sys.
v1.0.1 - Fixed bug that sometimes prevented the infected file from being renamed. This
only occurred in cases where back orifice was installed under its default
name of " .exe". It was an intermittant problem, but now any infected file
that was named " .exe" is now renamed to BACKORIFICE.BOD for easy distinction.
-------- Comments, Suggestions, or Bug Notices Go Here ------------
