Your Source for Security Products, Comparisons and Opinion


The latest versions of Windows includes TCP tunnel and advanced password recovery for Internet browsers. In today's application, most of antivirus can detect Sub7 program.

Subseven written in Delphi (also known as Backdoor-G and all of its variants) is the most well known Trojan backdoor application available.

You can download the setup-file of Sub7 from anywhere.

Some backdoor programs test the system and phone home to allow for future attacks. The best way to tell what version of SubSeven you are infected with is by running an updated antivirus program. It is similar to such malware as Back Orifice and Sub7 in that the suspect unknowingly downloads a backdoor through an email attatchment. Subseven tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online. Sub7 can also make the victim's machine act as a zombie used in a DDoS attack to bring down some servers

Default ports used by some known trojan horses:
port 31 Agent 31, Hackers Paradise, Masters Paradise
port 41 Deep Throat, Foreplay or Reduced Foreplay
port 110 ProMail trojan
port 113 Identd Invisible Deamon, Kazimas
port 559 (TCP/UDP)teedtap
port 605 Secret Service
port 1234 Ultors Trojan
port 1243 BackDoor-G, SubSeven , SubSeven Apocalypse, Tiles
port 1245 VooDoo Doll
port 1255 Scarab
port 12631 Whack Job
port 12754 Mstream
port 13000 Senna Spy Trojan Generator

The first version from SubSeven appeared in May 1999. SubSeven 2.0 is present since September 1999 and was written by an individual called MobMan. Apart from an extension of the characteristics above all the configuration options for the server installation were extended.

Besides, if the attack originated from a system that has a direct connection to your server or workstation with no gateway in between, then you can use the MAC address. The zip-file downloaded contained 3 executables: server.exe; sub7.exe and EditServer.exe. Moreover, the attack patterns for the NIDS snort can be used to recognize SubSeven network activity.

This trojan for the Windows platform is divided into two parts: a client tool and server software. The client and the server program, also again the Tool is contained for the modification of the actual server "EditServer" in the Orginal Zip file. Download an infected email attachment could be worse!

This trojan is the most popular and the most powerful Trojan Horse program available to the public.

Screenshots: Main Interface

When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven). Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL. This worm is also known as Backdoor.Subseven. This RAT or remote administration tool comprises two elements: the server.

After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.

Screenshot: Sub7 Victim Control Center - Remote Access Trojans

All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors. Please note that Troj/Sub7-2-13a is a backdoor package. Several versions of the package exist on the Internet, in 2009.

What can sub7 actually do?

    SubSeven can do just about anything to anybody.
  • Internet downloads are slow
  • Monitor ALL of your online activity (purchases, chat, mail)
  • Strange dialog boxes appear
  • Restart Windows
  • Disable your antivirus or firewall
  • Shutdown your computer or reboot your computer
  • Log Keystrokes
  • Download Files
  • Open an FTP server on your machine

Discovered Trojan: June 6, 1999

Systems Affected:
  • Windows 2000, Windows 95, Windows 98
  • Windows Me, Windows NT, Windows XP

Known TCP ports for SubSeven::
  • 1243
  • 6711
  • 6712
  • 6713
  • 6776

Latest known version:
  • SubSeven Apocalypse
  • SubSeven 2.1.1 Gold
  • SubSeven 2.1.3 Bonus
  • SubSeven 2.1.4 DEFCO
  • Subseven 2.1.5 Legend

Screenshot: Sub7 Client Control Center

How to remove Subseven

This trojan tends to escape virus detection due to the fact that it morphs, or changes a little each time its sent to a new victim. By using a backdoor program such as: netbus or backorifice, an intruder can gain unauthorized access to the resources your machine has to offer.

Main Window. Allows the hacker to change different server settings. As you can see, one of the options is completely removing the server from the host machine.

Print - Allows a hacker to print anything out on your home printer. This is typically used by the pranksters.

Fun Manager - One of the many "fun" features SubSeven offers. This is the prankster-toy side of this malware.

Screen Capture. Allows a hacker to receive continuous screen shots of your screen. This mean that whatever you see, chat, e-mail, online shopping, the hacker sees as well. These live feeds can actually be saved so the hacker can play it back like a movie and go over any information he/she might have missed.

File Manager. Allows the hacker to copy, delete, rename, run any file on your computer.

Screenshot - Subseven Interface: This is the configuration utility edits the server settings.

Files on an infected machine:
  • server.exe
  • rundll1.exe
  • systray.dl
  • Task_bar.exe
  • MVOKH_32.dll
  • nodll.exe
  • watching.dll

Screenshot - Mac Edition: This one includes several remote command ( IP Notify, Numlock...)

How it loads, where it hides

sub 7 trojan

It can be set to hide in just about any directory and can be loaded from the registry, system.ini, win.ini, and a few other less known places. Since the server editor that comes with Sub7 allows customization of startup, and the actual executable file, it is impossible to pinpoint the exact place Sub7 hides (since it's different with every file).

Subseven application tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.

All Sub7 components (files) should be deleted from an infected system for successful disinfection.

The worm drops a Trojan program to '\explorer.exe' that modifies different IIS settings (related to Code Red)t

NOTE: This information is supplied for educational purposes only.
[October 16, 2014]

Subseven Trojan - 2015 Edition

Sub7; Subseven or Sub7Server is similar to Netbus or Backorifice. Once downloaded, this backdoor program tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.

The Trojan horse program downloads because of an exploited bug in Internet Explorer or through an infected email attachment. To resolve this issue, install current antivirus software.

Because the worm modified the registry so that you cannot run the .exe files. Once a PC is infected it allows the hacker access to all admin controls and files on the machine. Besides, Sub7 can also record every keystroke made on the computer.

Find here the answers to the most commonly asked questions about trojan horse. Learn how to identify Internet threats and protect yourself online. This trojan horse program specifically targets Windows 95 and Windows 98.


VideoJug film
Spam email is all that annoying junk that falls into your inbox

Secure USB Device
Introducing the first plug and play secure remote file access


Our information site provides both independent and free recommendations and ratings of online software and services.

Whenever possible, we test each product and can receive advertising revenue from makers of security applications we review. The comments expressed are our own.

You can also decide to follow us on Twitter and Facebook to keep up with the latest announcements about web applications techniques on your favorite topics.

Why use

Recognised as the leading resource for online resources in the software industry, we deliver the latest reviews for non-geeks and technical professionals focusing on personal computers, smartphones and tablets.

Sign up for our newsletter

Pretty much the best thing you'll do today