Sub7 or Subseven Gold (also known as Backdoor-G and all of its variants) is the most well known Trojan backdoor application available. You can download the setup-file of Sub7 from anywhere.
Some backdoor programs test the system and phone home to allow for future attacks. The best way to tell what version of SubSeven you are infected with is by running an updated antivirus program. It is similar to such malware as Back Orifice and Sub7 in that the suspect unknowingly downloads a backdoor through an email attatchment. Subseven tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online. Sub7 can also make the victim's machine act as a zombie used in a DDoS attack to bring down some servers
The first version from SubSeven appeared in May 1999. SubSeven 2.0 is present since September 1999 and was written by an individual called MobMan. Apart from an extension of the characteristics above all the configuration options for the server installation were extended.
This trojan for the Windows platform is divided into two parts: a client tool and server software. The client and the server program, also again the Tool is contained for the modification of the actual server "EditServer" in the Orginal Zip file. Download an infected email attachment could be worse!
This trojan is the most popular and the most powerful Trojan Horse program available to the public.
Screenshots: Main Interface
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven). Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL. This worm is also known as Backdoor.Subseven. This RAT or remote administration tool comprises two elements: the server (installed on the “target's” workstation; and a client used by the remote administrator.
After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.
Screenshot: Sub7 Victim Control Center - Remote Access Trojans
All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors. Please note that Troj/Sub7-2-13a is a backdoor package. Several versions of the package exist on the Internet, in 2009.
What can sub7 actually do?
- SubSeven can do just about anything to anybody.
- Internet downloads are slow
- Monitor ALL of your online activity (purchases, chat, mail)
- Strange dialog boxes appear
- Restart Windows
- Disable your antivirus or firewall
- Shutdown your computer or reboot your computer
- Log Keystrokes
- Download Files
- Open an FTP server on your machine
Discovered Trojan: June 6, 1999
Systems Affected:
- Windows 2000, Windows 95, Windows 98
- Windows Me, Windows NT, Windows XP
Known TCP ports for SubSeven::
- 1243
- 6711
- 6712
- 6713
- 6776
Latest known version:
- SubSeven Apocalypse
- SubSeven 2.1.1 Gold
- SubSeven 2.1.3 Bonus
- SubSeven 2.1.4 DEFCO
- Subseven 2.1.5 Legend
Screenshot: Sub7 Client Control Center
How to remove Subseven
This trojan tends to escape virus detection due to the fact that it morphs, or changes a little each time its sent to a new victim. By using a backdoor program such as: netbus or backorifice, an intruder can gain unauthorized access to the resources your machine has to offer.
Main Window. Allows the hacker to change different server settings. As you can see, one of the options is completely removing the server from the host machine.
Print - Allows a hacker to print anything out on your home printer. This is typically used by the pranksters.
Fun Manager - One of the many "fun" features SubSeven offers. This is the prankster-toy side of this malware.
Screen Capture. Allows a hacker to receive continuous screen shots of your screen. This mean that whatever you see, chat, e-mail, online shopping, the hacker sees as well. These live feeds can actually be saved so the hacker can play it back like a movie and go over any information he/she might have missed.
File Manager. Allows the hacker to copy, delete, rename, run any file on your computer.
Screenshot - Subseven Interface: This is the configuration utility edits the server settings.
Files on an infected machine:
- server.exe
- rundll1.exe
- systray.dl
- Task_bar.exe
- FAVPNMCFEE.dll
- MVOKH_32.dll
- nodll.exe
- watching.dll
Screenshot - Mac Edition: This one includes several remote command ( IP Notify, Numlock...)
Download : http://www.4shared.com/file/85452200/2adb67e4/sub7_2115legends__subseven_seven___cria_servers_e_possui_o_client_para_monitora-los_.html?s=1
Note : Info from :http://www.all-internet-security.com/subseven_trojan.html , for download : 4shared.com
0 komentar: