Account Services banner

Protect Your System While Using the Internet

As a service to our customers, the Nevada Bell Internet Services Policy Department informs you of security issues that may pose a problem. Recently, it has come to our attention that a growing number of our customers' computers have become infected with the Back Orifice and NetBus programs.

How Your System Gets Infected

These programs are usually received when the user downloads a file via IRC (Internet Relay Chat), through ICQ, in e-mail attachments, or by downloading graphics, software or other binary files from the Internet. Once on your system, these programs allow anyone on the Internet to connect to your computer and use it remotely. This means any time you connect to the Internet, others can make use of your computer to engage in potentially malicious activity.

Back Orifice and NetBus currently only work on Windows computers. If you are using a Macintosh, a Unix or Linux machine, or other non-Microsoft operating system, you are currently safe from this particular threat.

There are different ways to approach the Back Orifice and NetBus infections, and we would like to recommend the following guidance to help you check your computer, remove any infection, and avoid any future compromises. While our technical support staff is always available to assist you with your Nevada Bell Internet Services access, please note that you are responsible for the security of your own computer and our staff are unable to assist in walking you through these recommended steps.

Detecting and Removing Back Orifice and Netbus

Information on both Back Orifice and NetBus, including instructions for removing it by hand, may be found at Back Orifice "Backdoor" Program.

Also at this site are links to a Back Orifice and NetBus detection and removal program called BODetect. This seems to be the best available program for detection and removal of these programs, and it is free for non-commercial use.

Whether you remove BO/NetBus by hand or by using BODetect or a commercial anti-virus program, after you have done so you should immediately change your Internet account password. Please see below for instructions on how to do that.

You should also change any other passwords stored on your computer, such as passwords for accessing work, other e-mail accounts, or even Web sites which you use passwords to access.

How to Protect Your System

Preventing files from being put on your computer with ICQ
When engaged in Internet Chat with the ICQ program, a design flaw in that program can allow people sending a file to your computer to make it appear that they are sending you a file of one type (say, a JPEG image), when in fact they are actually sending you an executable program. If you click the button to open the file when the transfer completes, you may end up executing a program that contains Back Orifice or NetBus. It is recommended that you use anti-virus software to scan programs you receive with ICQ before opening and executing them.

Preventing files from being put on your computer with mIRC
The default configuration of some versions of the mIRC client program for Internet Relay Chat will automatically accept files sent to you from anyone. To check this, go into mIRC, go to the "DCC" menu, and select "Options." Under the "Send" tab, make sure that your setting for "On send request" is either "Show get dialog" or "Ignore all." If it is set to "Auto get file," then you are vulnerable to having files put onto your computer without your being aware of them. The "Show get dialog" will prompt you to accept or reject any files being sent to you, and "Ignore all" will cause all attempts to send you files via IRC's DCC to be ignored. Please note that even with "Show get dialog" it is possible for a malicious user to send you a file that appears to be something innocuous (say, a JPEG image) when it is actually an executable program, similar to the problem with ICQ.

Be cautious about e-mail attachments and downloads
Back Orifice and NetBus can also be sent as e-mail attachments or downloaded as software. They can be attached to other programs so that it appears you have downloaded and executed a normal program, but in the process Back Orifice or NetBus has quietly installed itself. For example, a simple game called "Whack-a-Mole" (filename "game.exe") is being used to distribute NetBus.

To prevent infections from e-mail attachments and downloads, use anti-virus software to scan any programs you download or receive in e-mail before running them. The current versions of Norton Anti-Virus and F-Prot Anti-Virus both detect Back Orifice. Make sure to keep your virus software up-to-date.

Always be wary of software that is offered to you by people you don't know either via e-mail or some other mechanism such as ICQ or mIRC.

Use of firewall software can protect your computer
Even if your computer is infected with Back Orifice or NetBus, you can prevent connections to your computer by using a program such as the Conseal PC Firewall or NukeNabber. These programs also notify you when someone attempts to make an unauthorized connection to your computer so that you can notify their Internet service provider to help prevent further abuse. Please note that some expertise may be required to configure these programs correctly, and we cannot offer technical support for them.

Change your password
If you even suspect that your computer may have been infected with Back Orifice or NetBus, we recommend changing your password immediately. It is generally a good idea to change your password every 3-4 months in any case.

We hope these suggestions will help you better enjoy your Internet experience by showing you how a few simple precautions can protect your from common but avoidable problems on the Internet.

If you have further questions about this, please contact our Policy Department at
using our Service Abuse Form.

| Home | Account Services | Technical Support | Site Index |
Copyright © 2001, 2002 SBC Nevada Bell Internet Services. All rights reserved.