You are here: Home > Free Subseven (SUB7) trojan ressources and trojan remover -- last updated: May 12, 2008
Subseven (SUB7) Trojan and Subseven (Backdoor) Remover.


Sub7 or Subseven Gold (also known as Backdoor-G and all of its variants) is the most well known Trojan backdoor application available. You can download the setup-file of Sub7 from anywhere.

The first version from SubSeven appeared in May 1999. SubSeven 2,0 is present since September 1999. Apart from an extension of the characteristics above all the configuration options for the server installation were extended. Beside the Client and the server program, also again the Tool is contained for the modification of the actual server "EditServer" in the Orginal Zip file. Download an infected email attachment could be worse!
This trojan is the most popular and the most powerful Trojan Horse program available to the public.



When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven). Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL. This worm is also known as Backdoor.Subseven. Besides, backdoor-Sub7 : no update is required to detect and remove the server portion.





After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.

All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.

Below is a partial list of what Sub7 can do.

  • Monitor ALL of your online activity (purchases, chat, mail)
  • Open Web Browser to specified location
  • Restart Windows
  • Reverse Mouse buttons
  • Delete ANY of your files
  • Put ANY file on your computer
  • Record your passwords
  • Record your Keystrokes (on and off-line)
  • Open/Close your CD-ROM drive
  • Print Documents
  • Change screen resolution
  • Change Windows colors
  • Change Volume
  • Change Desktop wallpaper
  • Play sounds files
  • Play voice (using a Text to Speech engine)
  • Turn off the speakers
  • Change time/date
  • Update itself with a newer version
  • etc...
This trojan tends to escape virus detection due to the fact that it morphs, or changes a little each time its sent to a new victim.

Main Window. Allows the hacker to change different server settings. As you can see, one of the options is completely removing the server from the host machine.

Print - Allows a hacker to print anything out on your home printer. This is typically used by the pranksters.



Fun Manager - One of the many "fun" features SubSeven offers. This is the prankster-toy side of this malware.



Screen Capture. Allows a hacker to receive continuous screen shots of your screen. This mean that whatever you see, chat, e-mail, online shopping, the hacker sees as well. These live feeds can actually be saved so the hacker can play it back like a movie and go over any information he/she might have missed.



File Manager. Allows the hacker to copy, delete, rename, run any file on your computer.

How it loads, where it hides

It can be set to hide in just about any directory and can be loaded from the registry, system.ini, win.ini, and a few other less known places. Since the server editor that comes with Sub7 allows customization of startup, and the actual executable file, it is impossible to pinpoint the exact place Sub7 hides (since it's different with every file). What makes it even harder to find is that it can be assigned a different file name each time its ran, so every time you reboot your computer the file is somewhat altered (making it much harder to track down and delete).

Subseven tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.

All Sub7 components (files) should be deleted from an infected system for successful disinfection. The best way to tell what version of SubSeven you are infected with is by running an updated AntiVirus program.


Tools related to SubSeven trojan


Sponsors of the Month!


    Security Scanner - Home Users - Infiltrator can audit your computer's password, improper registry settings and trojan installations, suspicious open ports, vulnerable services, weak password. Advanced administrative tools for network diagnostic.


    Fix Windows Errors - XP Repair Pro scans the Windows registry. Automated system restore point creation. The best way to protect your PC from disaster. Your system will run faster and error free. Fully Vista certified.


    Computer Error Repair - Free download to instantly scan anf fix computer problems! Clean up your registry to keep your PC in tip-top shape. Recommended by experts d as the best registry cleaner. Free customer support.


    GFI Software - Leading developer of network security, content security and messaging software. Its product range includes email content exploit checking and anti-virus software; security scanning and patch management tools.


    Panda Antivirus - Protects against viruses and spyware. Includes heuristic protection against unknown threats. Vista compatible. Updates silently in the background. Keeps your PC free from threats. A multi-component detection and removal utility.