SubSeven is a trojan for the windows platform. It comes at least in two parts a client and a server. The client is used by the hacker to connect to the victim' s machine. Once the server.exe is installed on the victim's machine the hacker has full access to the victim's machine.
The zip-file I downloaded contained 3 executables:
- server.exe The real trojan, which is installed on the victim's machine
- sub7.exe The client used by the hacker to connect to his victim's machine
- EditServer.exe A configuration utility to set several configuration options on server.exe.
- the port used by server.exe
- to set a password for the server
- several other values
Known Information about SubSevenKnown TCP ports for SubSeven:
- in system.ini:
an entry on the line containing "shell="
- in win.ini:
an entry on the line containing "load=" or "run= "
- in the registry:
- Using ICQ
If the victim has not enabled IP Hiding in his ICQ User Profile, then the hacker can retrieve this information from the victim's profile.
- To use the notification option of the trojan. That way the hacker is always notified when his victim(s) connect to the internet. He will even get the IP address and the port number delivered.
The server.exe can be removed using the file client.exe. If you downloaded and extracted the zip-archive of the subseven-trojan do not click on the file server.exe. Otherwise you will have infected your machine.
Detecting SubSeven on the Net
The following attack patterns for the NIDS snort can be used to recognize SubSeven network activity:
alert tcp $HOME_NET 1243 -> !$HOME_NET any (msg:"
TROJAN ACTIVITY-Possible Subseven"; flags:SA;)
alert tcp any -> any (msg:"TROJAN ACTIVITY-Possible
SubSeven access"; content:"connected. time/date"; flags:PA;)
alert tcp !$HOME_NET any -> $HOME_NET 6776 (msg:"TROJAN ATTEMPT-
SubS even access"; flags:S;)
alert tcp !$HOME_NET any -> $HOME_NET 6711 (msg:"TROJAN ATTEMPT-
Deep Throat/SubSeven"; flags:S;)
alert tcp !$HOME_NET any -> $HOME_NET 1243 (msg:"TROJAN ATTEMPT-
- Edit SYSTEM.INI
If you find the line shell=Explorer.exe Task_Bar.exe, remove the Task_Bar.exe entry. Ave SYSTEM.INI
- Edit win.ini and look at the lines containing run= and load=. If you find one of the files listed above, remove this entry (entries).
- Start the regedit.exe and search for the files listed above. If you find an entry with one of the files, remove it.