SubSeven.Trojan

Threat risk

Threat risk medium


Detection files published: Aug 2000	Description created: 2000-08-21	Description updated: 2001-11-08

Malware type: Trojan	Alias:	Spreading mechanism Email, IRC, Network

Payload:

Summary
Spreading description
Removal

Summary

SubSeven is a backdoor that may be used to get unauthorized access to computers. (NetBus was the first trojan that really made it easy for hackers to get access to and abuse an infected system.)

SubSeven is a client/server application. The server part has to be installed at the victim's system to gain access to it. SubSeven has all the same features as NetBus, including some more.

The SubSeven trojan can be configured to inform someone when an infected computer connects to the Internet, and tell that person all the necessary information to use the SubSeven Client part to connect to the victim's computer. This notification can be done via ICQ, IRC or Email.

The recent versions of SubSeven are supplied with a configuration utility. This configuration utility allows the user to customize the server part; Startup methods, Notification methods, Installation methods, Icon, Server filename, etc.

SubSeven can be considered to be one of the most advanced backdoor program at the Internet.

Spreading description

Email characteristics:

Subject: (Various)
Body:

(Various)

Attachment: (Various)

SubSeven is a backdoor trojan and is not able to replicate itself. Usually people get SubSeven via email or by downloading program files from the Internet. In addition to being one of the most advanced backdoor program SubSeven is also one of the most widely spread backdoor trojans.

Removal

Removal of SubSeven has to be done manually.

Note that all filenames in this description are default names used by the respectively versions of the SubSeven Trojan.

To remove the trojan, perform a virus scan and make a notice of all infected files. The trojan can be configured to use any filenames, therefore you have to check each locations mentioned below for the file name detected by your anti-virus software.

SubSeven v1.0-1.1

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\Systrayicon.exe by simply type the command:
del c:\windows\systrayicon.exe
Restart the computer and start Windows.
Start Regedit (Start|Run and type 'regedit')
go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run
Delete the key SystemTrayIcon = "C:\Windows\SysTrayIcon.exe"

SubSeven v.1.2-1.5

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\nodll.exe by simply type the command:
del c:\windows\nodll.exe
Restart the computer and start Windows.
Double click the file c:\windows\win.ini to open it in a text editor.
Replace the line 'run=nodll.exe' with 'Run='
Save and close the file

SubSeven v1.6

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\Systrayicon.exe by simply type the command:
del c:\windows\systray.exe
Restart the computer and start Windows.
Start Regedit (Start|Run and type 'regedit')
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run
Delete the key SystemTray = "SysTray.exe"

SubSeven v1.7

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\kernel16.dl by simply type the command
del c:\windows\kernel16.dl
Restart the computer and start Windows.
Start Regedit (Start|Run and type 'regedit')
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\RunServices
Delete the key Kernel16 = "kernel16.dl"

SubSeven v1.8

Version 1.8 is the first SubSeven version that includes a configuration utility which can be used to modify how the server works. The default name and location of the Server part is c:\windows\kerne132.dl

See instruction for SubSeven v2.1 for removal.

SubSeven v1.9

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\kernel16.dl by simply type the command
del c:\windows\rundll16.exe
Restart the computer and start Windows.
Start Regedit (Start|Run and type 'regedit').
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\RunServices
Delete the key RegistryScan = "rundll16.exe"

SubSeven v2.0

Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode').
Delete the file c:\windows\rundll16.exe by simply type the command
del c:\windows\rundll16.exe
Restart the computer and start Windows.
Double click the file c:\windows\system.ini to open it in a text editor.
Replace the line;
shell = Explorer.exe RUNDLL16.exe with shell = Explorer.exe
Save and close the file.

SubSeven v2.1

SubSeven v2.1 can use four different methods to load itself. It can use one or more of the methods mention below. To remove check all the alternatives below:

Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe
Delete 'MSREXE.exe' from these lines.
Open c:\windows\system.ini.
Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe
Run regedit.exe
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
Delete any keys with the value; 'MSREXE.exe'
Run Regedit.exe
Go to
HKEY_CLASSES_ROOT\exefile\shell\open\command
If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*"
Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)
By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded. A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program. Reboot the computer and delete all infected files.

SubSeven v2.2

SubSeven v2.2 can use different methods to load itself. It can use one or more of the methods mention below. To remove check all the alternatives below:

Run regedit.exe
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
Delete any keys that refer to files detected by your Anti-Virus software.
Go to HKEY_CLASSES_ROOT\exefile\shell\open\command
If the trojan use this method to load itself, the value in this key will typically be
"WINDOS \"%1\" %*"
Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)
By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded. A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program. Reboot the computer and delete all infected files.
Open c:\windows\win.ini and look for the lines; run=xxx and load=xxx
Where xxx refer to same filename as in point 1 above.
Delete 'xxx' from these lines.
Open c:\windows\system.ini.
Replace the line; shell = Explorer.exe xxx with shell = Explorer.exe
Reboot your computer.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Verwendung	Titel	Kommentar
	Schluss mit Viren auf Netzwerk-Shares
	Cleaning of back-up folders on Windows Me and XP

Seite drucken