A large number of the detects we have received are apparently SubSeven Trojan related. From time to time we get questions asking what is SubSeven? Analyst Georg Wagner provided the following description.
SubSeven is a trojan for the windows platform. It comes at least in two parts a client and a server. The client is used by the hacker to connect to the victim' s machine. Once the server.exe is installed on the victim's machine the hacker has full access to the victim's machine.
The zip-file I downloaded contained 3 executables:
Known Information about SubSevenKnown TCP ports for SubSeven:
The server.exe can be removed using the file client.exe. If you downloaded and extracted the zip-archive of the subseven-trojan do not click on the file server.exe. Otherwise you will have infected your machine.
Detecting SubSeven on the Net
The following attack patterns for the NIDS snort can be used to recognize SubSeven network activity:
alert tcp $HOME_NET 1243 -> !$HOME_NET any (msg:"