|
| Name: | SubSeven |
| Aliases: | Sub 7, BackDoor-G.cfg, BackDoor-G.srv, BackDoor-G.cli, Pinkworm, SubStealth, BackDoor-G2, Backdoor.SubSeven , .LOG, Sub7, |
| Ports: | 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283 (various ports are used for different versions) |
| Files: | Subseven.exe - 308,224 bytes Subseven.exe - 312,320 bytes Subseven.exe - 381,440 bytes Subseven.exe - 388,096 bytes Subseven.exe - 428,469 bytes Subseven.exe - 623,104 bytes Subseven.exe - 624,128 bytes Sub7.exe - 468,992 bytes Sub7.exe - 479,232 bytes Sub7.exe - 491,520 bytes Sub7.exe - 493,056 bytes Sub7.exe - 519,680 bytes Server.exe - 250,368 bytes Server.exe - 251,904 bytes Server.exe - 333,547 bytes Server.exe - 335,237 bytes Server.exe - 335,799 bytes Server.exe - 336,867 bytes Server.exe - 336,934 bytes Server.exe - 342,042 bytes Server.exe - 352,287 bytes Server.exe - 380,835 bytes Server.exe - 382,371 bytes Server.exe - 385,858 bytes Server.exe - 867,840 bytes Editserver.exe - 186,368 bytes Editserver.exe - 195,584 bytes Editserver.exe - 221,184 bytes Editserver.exe - 303,802 bytes Editserver.exe - 404,992 bytes Editserver.exe - 484,352 bytes Systrayicon.exe - 768 bytes Systray.exe - 33,280 bytes Icqmapi.dll - 58,368 bytes Icqmapi.dll - 58,880 bytes Kerne1.exe - Kernel16.dl - Kernel32.dl - Explore.exe - Msrexe.exe - Mueexe.exe - Fueovs.exe - Uabmruua.exe - Windos.exe - Win32.exe - Nodll.exe - 32,768 bytes Nodll.exe - 33,230 bytes Subseven.ini - Skin.ini - 454 bytes Skin.ini - 464 bytes Skin.ini - 468 bytes Skin.ini - 481 bytes Rundll1.exe - Rundll16.exe - S7undetec.exe - 321,476 bytes Subpas1.cab - 1,312,768 bytes Subpas2.cab - 145,273 bytes Setup.exe - 140,800 bytes Ssetup.exe - 140,800 bytes Setup.lst - 3,656 bytes Ssetup.lst - 3,656 bytes Task_bar.exe - Mvokh_32.dll - Favpnmcfee.dll - Watching.dll - Run.exe - 11,371 bytes Sub7bonus.exe - Wandows.com - |
| Created: | Feb 1999 |
| Requires: | N/A |
| Actions: | Remote Access / ICQ trojan / IRC trojan |
| | Alters System.ini and Win.ini. The program "Mirc56freezer.exe" is in some cases infected with SubSeven 1.8. There are secret masterpasswords hidden in SubSeven, at least in versions 1.9 and 2.1. At least one file is compressed by the packer UPX 0.72. Pending on what functions you add to the server, the size of it will also change! With more than 100 "features" is one of the more powerful of all Remote Access Trojans(RATs). |
| Versions: | 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.9b, 2.0, 2.1, 2.1a, 2.1b, 2.1c, 2.1d, 2.13, 2.2b1, 2.2b2, |
| Registers: | HLM\Software\Microsoft\Windows\CurrentVersion\Run\ HLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ HLM\SOFTWARE\exefile\shell\open\command |
| Notes: | Works on Windows 95, 98 and NT. From version 2.2 beta 2 also on NT, before only on 95 and 98. Version 2.1 can also be controlled via messages over IRC and ICQ. From 2.13 all file names are default names and can be changed. ˆ Source code is decompiled and available. |
| Country: | N/A |
| Program: | Written in Delphi. |
 Using the Process Monitor from AATools, you will see whether any foreign
programs are running on your computer. If you find some unwanted program, you
can terminate it by clicking the 'Terminate Process' button on the Toolbar.
Using the AATools Network Monitor, you can see what ports are in use on
your local PC for connection with remote systems (LAN/Internet). On Windows
NT/2000/XP the Network Monitor will display you the services that are active on
the ports, and map the ports to their respective applications. If you register
port probes directed against ports that are normally not used, it is possible
that someone is trying to connect to a Trojan inside your network. Using the
Registry Cleaner (Startup section) from AATools, you will see
the list of programs that are registered under Run, RunOnce, RunOnceEx and
RunService registry keys. So you can find out what programs are started behind
your back. You should check these programs to see they are legitimate ones but
not Trojans programs.
0-C | D-H | I-N
| O-S | T-Z
If you have any questions or information about ports used by Trojans not
listed above, please contact us. |
