BoDetect v2.01 Copyright 1998 by Chris Benson All rights reserved -------- Acceptable Use Statement --------------------------------- Read the EULA (eula.txt) agreement bundled with this software. You must accept the terms of the license agreement before using this software. ------------------------------------------------------------------- -------------------------------- BoDetect Installation and Usage -------------------------------- BoDetect is easy to use.  Simply unzip the zip file into the directory where you want BoDetect to be installed. The very first time you run BoDetect, it will display a dialog where you can set the options you want: - Autoscan: If this box is checked, then BoDetect will scan your system automatically when it is first run. - Silent Mode: Selecting this option will let BoDetect run silently, only alerting you if Back Orifice is found on your system, or in the event of an error. - Monitor System: This option will enable BoDetect to run in the background and scan your system at user-defined intervals (which you select from the list, in increments of one minute). If silent mode is also enabled, BoDetect runs silently in the background until an infection is discovered. - Generate Log: This option lets you turn scan logging on or off. After you set the options for the first time, a BoDetect icon will sit in your system tray. Right clicking on this icon will bring up a menu. From this menu you can do the following: - Open: This will bring up the main BoDetect dialog (Double clicking the tray icon does the same). - Detect: This option will initiate a system scan on demand. - Options: Brings up the 'Options' dialog you saw when you ran BoDetect for the first time. - About: Displays the standard about box, with a link to my website and email address. - Exit: Closes BoDetect. - UnInstall: This option will uninstall the BoDetect options from your registry. Then just delete the program files to complete uninstallation. To re-install, simply run BoDetect.exe again. The main BoDetect dialog also has a menu featuring many of the same options as above. There is a button labeled 'Detect'.  Click it and if Back Orifice is detected, you get detailed information on how many instances were found, the names of the executables and registry keys they were installed as. Then, just click on 'Remove' and BoDetect will remove Back Orifice from your system instantly.  The infected files will be renamed to a safe name so they cannot be accidentally executed. The scheme BoDetect uses to rename files is like this: If the infected file is called 'keyboard.drv' BoDetect renames it to 'keyboard.drv.BOD' If the infected file is installed as the default of ' .exe', then BoDetect will rename it BACKORIFICE.BOD for easier distinction. The renamed file(s) will be moved to a directory called 'Infected Files' that will be created in the same directory as BoDetect.  You can delete them or do whatever you want to with them! BoDetect also creates a log file (BoDetect.log) that details the registry keys that were removed and the program files that were renamed.  Uninstallation: Right-click the BoDetect system tray icon, and select 'UnInstall BoDetect'. Then just delete the program files to complete uninstallation. To re-install, simply run BoDetect.exe again. ----------------------- BoDetect Error Messages ----------------------- "BODetect could not register the scan engine" "CoCreateInstance Failed" These messages occurs if the engine registration process fails. There is a problem with some unzipping programs that don't support long filenames. There should be a file called 'bodengine.dll' in the directory where you installed BoDetect. If this file is called 'bodengin.dll' (without the trailing 'e') rename it to 'bodengine.dll' and try running the program again. I recommend using Winzip 7.0 from www.winzip.com. Upgrades, bug fixes and additions: v2.01 - Modified the installation procedure BoDetect uses to register the scan engine to improve reliability on certain systems. Fixed bug that could prevent options from being saved properly. v2.0 - Removed the installation package I was using. Too many people reported problems using it. Added 'AutoScan' so that BoDetect can automatically scan your system on startup without user interaction, if desired. Added ability to enable/disable event logging. Added 'silent' mode for easier use in automated environments (login scripts etc...). Added 'timed scanning' feature so that BoDetect can monitor your system without user intervention. Updated the user interface slightly. Fixed bug in scanning engine that could affect file renaming under certain circumstances. v1.5 - Added an installation program for easy setup and removal of BoDetect. User Interface has been reworked a little. Fixed a bug that sometimes incorrectly identified the %windows% path. Scanning engine upgraded. Now detects and removes certain leftover BO files and registry keys that can be created from certain configurations of Back Orifice. Also now removes the 'windll.dll' file that BO creates when it is run. v1.0.2 - Modified the scanning engine for better detection. The generated log file has been cleaned up and should be easier to readInfected files now moved to 'Infected Files' directory rather than being left in win/sys. v1.0.1 - Fixed bug that sometimes prevented the infected file from being renamed. This only occurred in cases where back orifice was installed under its default name of " .exe". It was an intermittant problem, but now any infected file that was named " .exe" is now renamed to BACKORIFICE.BOD for easy distinction. -------- Comments, Suggestions, or Bug Notices Go Here ------------ cbenson@spiritone.com -------------------------------------------------------------------