which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or gui client can be run on any Microsoft Windows machine.To install, the server the server simply needs to be executed. When the server executable is run, it installs itself and then deletes itself. This is useful for network enviroments where the server can be installed on a machine simply by copying the server executable into the Startup directory, where it will be installed, then removed. Once the server is installed on a machine, it will be started every time the machine boots. To upgrade a running copy of Back Orifice remotely, simply upload the new version of the server to the remote host, and use the Process spawn command to execute it. When run, the server will automatically kill any programs running as the file it intends to install itself as, install itself over the old version, run itself from its installed position, and delete the updated exe you just ran. Before installation, several aspects of the server can be configured. The filename that Back Orifice installs itself as, the port the server listens on, and the password used for encryption can all be configured using the boconf.exe utility. If the server is not configured, it defaults to listening on port 31337, using no password for encryption (packets are still encrypted), and installing itself as " .exe" (space dot exe). The client communicates to the server via encrypted UDP packets. For successful communication, the client needs to send to the same port the server is listening on, and the client password must match the encryption password server was configured with. The port the client sends its packets from can be set using the -p option with both the gui and text clients. If packets are being filtered or a firewall is in place, it may be necessary to send from a specific port that will not be filtered or blocked. Since UDP communication is connectionless, the packets might be blocked either on their way to the server or the return packets might be blocked on their way back to the client. Actions are performed on the server by sending commands from the client to a specific ip address. If the server machine is not on a static address, it can be located by using the sweep or sweeplist commands from the text client, or from the gui client using the "Ping..." dialog or by putting a target ip of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the client will look in the same directory as subnet list and will display the first line of the first file it finds with the filename of the subnet. The commands currently implemented in Back Orifice are listed below. Some of the command names differ between the gui and text clients, but the syntax is the same for almost all commands. More information for any of the commands can be displayed in the text client by typing 'help command'. The gui sets the label of the two paramater fields to a description of the arguments each command accepts when that command is selected from the 'Command' list. If a piece of required information was not supplied with the command, the error 'Missing data' will be returned by the server. The functions of this trojan are: Spawn a text based application on a tcp port. Stops an application from listening for connections. Lists the applications currently listening for connections. Creates a directory. Lists files and directory. You must specify a wildcard if you want more than one file to be listed. Removes a directory. Creates an export on the server. Deletes an export. Lists current shared resourses (name, drive, access, password). Copys a file. Deletes a file. Searches a directory tree for files that match a wildcard specification. Compresses a file. Decompresses a file. Views the contents of a text file. Disables the http server. Enables the http server. Logs keystrokes on the server machine to a text file. Ends keyboard logging. To end keyboard logging from the text client, use 'keylog stop'. Captures video and audio (if available) from a video input device to an avi file. Captures a frame of video from a video input device to a bitmap file. Captures an image of the server machine's screen to a bitmap file. Lists video input devices. Plays a wav file on the server machine. Lists current incomming and outgoing network connections. Disconnects the server machine from a network resource. Connects the server machine to a network resource. Views all network interfaces, domains, servers, and exports visable from the server machine. Pings the host machine. Returns the machine name and the BO version number. Executes a Back Orifice plugin. Tells a specific plugin to shut down. Lists active plugins or the return value of a plugin that has exited. Terminates a process. Lists running processes. Runs a program. Otherwise it will be executed hidden or detached. Redirects incomming tcp connections or udp packets to another ip address. Stops a port redirection. Lists active port redirections. Creates a key in the registry. Deletes a key from the registry. Deletes a value from the registy. Lists the sub keys of a registry key. Lists the values of a registry key. Sets a value for a registry key. Resolves the ip address of a machine name relative to the server machine. Creates a dialog box on the server machine with the supplied text and an 'ok' button. Displays system information for the server machine. Locks up the server machine. Displays cached passwords for the current user and the screen saver password. Shuts down the server machine and reboots it. Connects the server machine and saves any data recieved from that connection to the specified file. Connects the server machine and sends the contents of the specified file, then disconnects.