Backdoor:W32/SubSeven is a backdoor program that allows a remote user to perform a large range of actions on the affected system.
The first samples of this backdoor were not packed, but later some packed versions appeared which were not easy to detect with contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking support.
SubSeven backdoor was first discovered in May, 1999. The backdoor is usually distributed under different names via newsgroups and e-mails.
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).
Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this). After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.
The latest versions of the SubSeven backdoor drop a small starter program (usually WINDOS.EXE) and register it to be run when any EXE file is started in Windows. By doing this the backdoor ensures that its copy is always in the memory. For specific instructions of how to disinfect these versions please see the bottom of the page.
All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.
If the SubSeven backdoor task is being active in the memory (and invisible in Task Manager), it looks for TCP/IP connections and if they are established it listens to TCP/IP ports for commands from a client part.
Subseven also tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.
SubSeven's initial version had the following 113 capabilities: