3 Days left to Save $400 on SANS DFIR Summit

Intrusion Detection FAQ: SubSeven Trojan v 1.1

A large number of the detects we have received are apparently SubSeven Trojan related. From time to time we get questions asking what is SubSeven? Analyst Georg Wagner provided the following description.

SubSeven is a trojan for the windows platform. It comes at least in two parts a client and a server. The client is used by the hacker to connect to the victim' s machine. Once the server.exe is installed on the victim's machine the hacker has full access to the victim's machine.

The zip-file I downloaded contained 3 executables:
  • server.exe The real trojan, which is installed on the victim's machine
  • sub7.exe The client used by the hacker to connect to his victim's machine
  • EditServer.exe A configuration utility to set several configuration options on server.exe.
The EditServer.exe gives the hacker the opportunity to configure:
  • the port used by server.exe
  • to set a password for the server
  • several other values
and most important to set some notification options, to notify the hacker when his victim(s) are online. This notification can be done using ICQ, IRC, or e mail.

Known Information about SubSeven
Known TCP ports for SubSeven:
  • 1243
  • 6711
  • 6712
  • 6713
  • 6776
Known TCP ports for SubSeven 2.1
  • 27374
Files on an infected machine:
  • server.exe
  • rundll1.exe
  • systray.dl
  • Task_bar.exe
  • FAVPNMCFEE.dll
  • MVOKH_32.dll
  • nodll.exe
  • watching.dll
Entries in configuration files:
  • in system.ini:
    an entry on the line containing "shell="
  • in win.ini:
    an entry on the line containing "load=" or "run= "
  • in the registry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current\Version\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
To be able to connect to the victims machine the hacker needs the ip address of that machine. There are two methods to get this ip address:

  1. Using ICQ
    If the victim has not enabled IP Hiding in his ICQ User Profile, then the hacker can retrieve this information from the victim's profile.
  2. To use the notification option of the trojan. That way the hacker is always notified when his victim(s) connect to the internet. He will even get the IP address and the port number delivered.
It is claimed in the description of SubSeven that most Antivirus Software won't be able to detect newer versions of it. Have a look in your registry whether the strings SubSeven, "Sub Seven" or "Sub 7" are found. If yes, your machine got infected. If no, well that does not mean that your machine is not infected, since the hacker can set the values used in the registry with the EditServer.exe.

The server.exe can be removed using the file client.exe. If you downloaded and extracted the zip-archive of the subseven-trojan do not click on the file server.exe. Otherwise you will have infected your machine.

Detecting SubSeven on the Net


The following attack patterns for the NIDS snort can be used to recognize SubSeven network activity:
alert tcp $HOME_NET 1243 -> !$HOME_NET any (msg:"
TROJAN ACTIVITY-Possible Subseven"; flags:SA;)
alert tcp any -> any (msg:"TROJAN ACTIVITY-Possible
SubSeven access"; content:"connected. time/date"; flags:PA;)
alert tcp !$HOME_NET any -> $HOME_NET 6776 (msg:"TROJAN ATTEMPT-
SubS even access"; flags:S;)
alert tcp !$HOME_NET any -> $HOME_NET 6711 (msg:"TROJAN ATTEMPT-
Deep Throat/SubSeven"; flags:S;)
alert tcp !$HOME_NET any -> $HOME_NET 1243 (msg:"TROJAN ATTEMPT-
Subseven"; flags:S;)

Removing SubSeven

  1. Edit SYSTEM.INI
    If you find the line shell=Explorer.exe Task_Bar.exe, remove the Task_Bar.exe entry. Ave SYSTEM.INI
  2. Edit win.ini and look at the lines containing run= and load=. If you find one of the files listed above, remove this entry (entries).
  3. Start the regedit.exe and search for the files listed above. If you find an entry with one of the files, remove it.
  4. Reboot