Subseven Trojan - Review
Description
    Review date: 06.04.2009

Sub7 or Subseven Gold (also known as Backdoor-G and all of its variants) is the most well known Trojan backdoor application available. You can download the setup-file of Sub7 from anywhere.

Some backdoor programs test the system and phone home to allow for future attacks. The best way to tell what version of SubSeven you are infected with is by running an updated antivirus program. It is similar to such malware as Back Orifice and Sub7 in that the suspect unknowingly downloads a backdoor through an email attatchment. Subseven tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online. Sub7 can also make the victim's machine act as a zombie used in a DDoS attack to bring down some servers

The first version from SubSeven appeared in May 1999. SubSeven 2.0 is present since September 1999 and was written by an individual called MobMan. Apart from an extension of the characteristics above all the configuration options for the server installation were extended.

This trojan for the Windows platform is divided into two parts: a client tool and server software. The client and the server program, also again the Tool is contained for the modification of the actual server "EditServer" in the Orginal Zip file. Download an infected email attachment could be worse!

This trojan is the most popular and the most powerful Trojan Horse program available to the public.


Screenshots: Main Interface

When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven). Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL. This worm is also known as Backdoor.Subseven. This RAT or remote administration tool comprises two elements: the server (installed on the “target's” workstation; and a client used by the remote administrator.



After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.


Screenshot: Sub7 Victim Control Center - Remote Access Trojans

All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors. Please note that Troj/Sub7-2-13a is a backdoor package. Several versions of the package exist on the Internet, in 2009.

What can sub7 actually do?

    SubSeven can do just about anything to anybody.
  • Internet downloads are slow
  • Monitor ALL of your online activity (purchases, chat, mail)
  • Strange dialog boxes appear
  • Restart Windows
  • Disable your antivirus or firewall
  • Shutdown your computer or reboot your computer
  • Log Keystrokes
  • Download Files
  • Open an FTP server on your machine


Discovered Trojan: June 6, 1999

Systems Affected:
  • Windows 2000, Windows 95, Windows 98
  • Windows Me, Windows NT, Windows XP


Known TCP ports for SubSeven::
  • 1243
  • 6711
  • 6712
  • 6713
  • 6776


Latest known version:
  • SubSeven Apocalypse
  • SubSeven 2.1.1 Gold
  • SubSeven 2.1.3 Bonus
  • SubSeven 2.1.4 DEFCO
  • Subseven 2.1.5 Legend



Screenshot: Sub7 Client Control Center

How to remove Subseven

This trojan tends to escape virus detection due to the fact that it morphs, or changes a little each time its sent to a new victim. By using a backdoor program such as: netbus or backorifice, an intruder can gain unauthorized access to the resources your machine has to offer.

Main Window. Allows the hacker to change different server settings. As you can see, one of the options is completely removing the server from the host machine.

Print - Allows a hacker to print anything out on your home printer. This is typically used by the pranksters.

Fun Manager - One of the many "fun" features SubSeven offers. This is the prankster-toy side of this malware.

Screen Capture. Allows a hacker to receive continuous screen shots of your screen. This mean that whatever you see, chat, e-mail, online shopping, the hacker sees as well. These live feeds can actually be saved so the hacker can play it back like a movie and go over any information he/she might have missed.



File Manager. Allows the hacker to copy, delete, rename, run any file on your computer.



Screenshot - Subseven Interface: This is the configuration utility edits the server settings.

Files on an infected machine:
  • server.exe
  • rundll1.exe
  • systray.dl
  • Task_bar.exe
  • FAVPNMCFEE.dll
  • MVOKH_32.dll
  • nodll.exe
  • watching.dll

Screenshot - Mac Edition: This one includes several remote command ( IP Notify, Numlock...)

How it loads, where it hides

It can be set to hide in just about any directory and can be loaded from the registry, system.ini, win.ini, and a few other less known places. Since the server editor that comes with Sub7 allows customization of startup, and the actual executable file, it is impossible to pinpoint the exact place Sub7 hides (since it's different with every file).

Subseven application tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.

All Sub7 components (files) should be deleted from an infected system for successful disinfection.

The worm drops a Trojan program to '\explorer.exe' that modifies different IIS settings (related to Code Red)t

NOTE: This information is supplied for educational purposes only.
What is Sub7 Trojan?
  • Sub7 or Subseven is similar to Netbus or Back Orifice. Once downloaded, this backdoor program tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.

    The Trojan horse program downloads because of an exploited bug in Internet Explorer or through an infected email attachment. To resolve this issue, install current antivirus software.

    Because the worm modified the registry so that you cannot run the .exe files. Once a PC is infected it allows the hacker access to all admin controls and files on the machine. Besides, Sub7 can also record every keystroke made on the computer.

    Find here the answers to the most commonly asked questions about trojan horse. Learn how to identify Internet threats and protect yourself online. This trojan horse program specifically targets Windows 95 and Windows 98.
Related to Site Reviews
  • Free Spyware Remover - Looking for anti-spyware that really works? Here's you'll find reviews of the best
  • Netbus Trojan Review - The biggest threat regarding malware is that most of them may be used to attack
  • Top Firewall Software - Learn about the latest technologies. Besides, we rank the best personal firewall
  • Top 10 Antivirus Software - To read our top-ranked antivirus programs review and see how they work by
  • Free Registry Repair - How to fix the Windows registry and system file errors? Read insightful software
  • Top 10 Antispam - Latest news about new anti-spam products, protection, evaluations, tips and tricks
2009 Internet Security - Sponsored Websites
VISIT THIS SPONSOR

Antivirus Software 2009 - Trend Micro Internet Security 2009 protects PCs from spyware, anti-phishing, virus, trojans and all other Internet threats. Best of all, it keeps intruders out and sensitive information in with a two-way firewall.
VISIT THIS SPONSOR

Firewall - ZoneAlarm Pro - The best way to secure your private information on your PC. Free services help you discover and recover from identity theft. ZoneAlarm Pro provides you with firewall with privacy protection. Scans for and removes thousands of spyware
VISIT THIS SPONSOR

AVG Antivirus with Anti-Spyware - AVG 8.5 brings a complete level of computer protection against the newest threats. It includes antivirus, firewall, with anti-spyware, and anti-spam. On top of that, the last major feature is a free support and