F-Secure
Tools
Backdoor:W32/SubSeven
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.Disinfection
Automatic Disinfection
Disinfection of SubSeven is performed automatically by FSAV. You might need to restart your system to complete the disinfection of a locked server part of SubSeven that cannot be removed while it is active in Windows.
Note
Earlier versions of FSAV might not clean the "EXE-file startup" Registry entry, which is used by the latest SubSeven versions to re-install itself back to the system every time an EXE file is run. If problems occur with this registry key even after the disinfection and if you are unable to start EXE files in Windows, please download and run the special file from our ftp site, which will solve this problem:
You need to run (double-click or press 'Enter' when the cursor is placed on the file) the S7DISINF.REG file from Windows Explorer after you have downloaded it. Note that the .REG extension might not be visible if you do not have 'Show All Files' option on.
Alternatively, you can click on the 'Start' button, then on the 'Run' menu and either input the location of the S7DISINF.REG file manually (for example, C:\S7DISINF.REG) or to find it with the 'Browse' button. After you have entered the location, you need to click on the 'Ok' button and the REG file will be run.
Disinfection Utility
You can also use a free version of F-Prot for DOS to remove SubSeven.
Notes: Disinfection must be performed from pure DOS; it is advisable to run the above shown REG file before exiting Windows. All SubSeven components (files) should be deleted from an infected system for successful disinfection.
Disinfection of SubSeven is performed automatically by FSAV. You might need to restart your system to complete the disinfection of a locked server part of SubSeven that cannot be removed while it is active in Windows.
Note
Earlier versions of FSAV might not clean the "EXE-file startup" Registry entry, which is used by the latest SubSeven versions to re-install itself back to the system every time an EXE file is run. If problems occur with this registry key even after the disinfection and if you are unable to start EXE files in Windows, please download and run the special file from our ftp site, which will solve this problem:
- ftp://ftp.europe.F-Secure.com/anti-virus/tools/s7disinf.reg
You need to run (double-click or press 'Enter' when the cursor is placed on the file) the S7DISINF.REG file from Windows Explorer after you have downloaded it. Note that the .REG extension might not be visible if you do not have 'Show All Files' option on.
Alternatively, you can click on the 'Start' button, then on the 'Run' menu and either input the location of the S7DISINF.REG file manually (for example, C:\S7DISINF.REG) or to find it with the 'Browse' button. After you have entered the location, you need to click on the 'Ok' button and the REG file will be run.
Disinfection Utility
You can also use a free version of F-Prot for DOS to remove SubSeven.
- ftp://ftp.europe.F-Secure.com/anti-virus/free/
- ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
Notes: Disinfection must be performed from pure DOS; it is advisable to run the above shown REG file before exiting Windows. All SubSeven components (files) should be deleted from an infected system for successful disinfection.
Additional Details
Backdoor:W32/SubSeven is a backdoor program that allows a remote user to perform a large range of actions on the affected system.
The first samples of this backdoor were not packed, but later some packed versions appeared which were not easy to detect with contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking support.
SubSeven backdoor was first discovered in May, 1999. The backdoor is usually distributed under different names via newsgroups and e-mails.
Execution
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).
Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this). After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.
The latest versions of the SubSeven backdoor drop a small starter program (usually WINDOS.EXE) and register it to be run when any EXE file is started in Windows. By doing this the backdoor ensures that its copy is always in the memory. For specific instructions of how to disinfect these versions please see the bottom of the page.
All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.
Activity
If the SubSeven backdoor task is being active in the memory (and invisible in Task Manager), it looks for TCP/IP connections and if they are established it listens to TCP/IP ports for commands from a client part.
Subseven also tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.
SubSeven's initial version had the following 113 capabilities:
Fun Manager
------------------
1. Open Web Browser to specified location.
2. Restart Windows.
3. Reverse Mouse buttons.
4. Hide Mouse Pointer.
5. Move Mouse.
6. Mouse Trail Config.
7. Set Volume.
8. Record Sound file from remote mic.
9. Change Windows Colors / Restore.
10. Hung up Internet Connection.
11. Change Time.
12. Change Date.
13. Change Screen resolution.
14. Hide Desktop Icons / Show
15. Hide Start Button / Show
16. Hide taskbar / Show
17. Opne CD-ROM Drive / Close
18. Beep computer Speaker / Stop
19. Turn Monitor Off / On
20. Disable CTRL+ALT+DEL / Enable
21. Turn on Scroll Lock / Off
22. Turn on Caps Locl / Off
23. Turn on Num Lock / Off
Connection Manager
-----------------------------
1. Connect / Disconnect
2. IP Scanner
3. IP Address book
4. Get Computer Name
5. Get User Name
6. Get Windows and System Folder Names
7. Get Computer Company
8. Get Windows Version
9. Get Windows Platform
10. Get Current Resolution
11. Get DirectX Version
12. Get Current Bytes per Pixel settings
13. Get CPU Vendor
14. Get CPU Speed
15. Get Hard Drive Size
16. Get Hard Drive Free Space
17. Change Server Port
18. Set Server Password
19. Update Server
20. Close Server
21. Remove Server
22. ICQ Pager Connection Notify
23. IRC Connection Notify
24. E-Mail Connection Notify
Keyboard Manager
--------------------------
1. Enable Key Logger / Disable
2. Open Key Logger in a remote Window
3. Clear the Key Logger Windows
4. Collect Keys pressed while Offline
5. Open Chat Victim + Controller
6. Open Chat among all connected
Controllers
--------------
1. Windows Pop-up Message Manager
2. Disable Keyboard
3. Send Keys to a remote Window
Misc. Manager
--------------------
1. Full Screen Capture
2. Continues Thumbnail Capture
3. Flip Screen
4. Open FTP Server
5. Find Files
6. Capture from Computer Camera
7. List Recorded Passwords
8. List Cached Passwords
9. Clear Password List
10. Registry Editor
11. Send Text ot Printer
File Manager
------------------
1. Show files/folders and navigate
2. List Drives
3. Execute Application
4. Enter Manual Command
5. Type path Manually
6. Download files
7. Upload files
8. Get File Size
9. Delete File
10. Play *.WAV
11. Set Wallpaper
12. Print *.TXT\*.RTF file
13. Show Image
Window Manager
------------------------
1. List visible windows
2. List All Active Applications
3. Focus on Window
4. Close Window
5. Disable X (close) button
6. Hide a Window from view.
7. Show a Hidden Window
8. Disable Window
9. Enable Disabled Window
Options Menu
--------------------
1. Set Quality of Full Screen Capture
2. Set Quality of Thumbnail Capture
3. Set Chat font size and Colors
4. Set Client's User Name
5. Set local 'Download' Directory
6. Set Quick Help
7. Set Client Skin
8. Set Fun Manager Skin
Edit Server
--------------
1. PreSet Target Port
2. PreSet server Password
3. Attach EXE File
4. PreSet filename after installation
5. PreSet Registry Key
6. PreSet Autostart Method:
Registry: Run
Registry: RunSevices
Win.ini
Less known method
7. PreSet Fake error message
8. PreSet Connection Notify Username
9. PreSet Connection Notify ICQ#
10. PreSet Connection Notify E-Mail
11. PreSet Connection Notify IRC Chan.
12. PreSet IRC Port
13. Change Server *.exe Icon
The first samples of this backdoor were not packed, but later some packed versions appeared which were not easy to detect with contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking support.
SubSeven backdoor was first discovered in May, 1999. The backdoor is usually distributed under different names via newsgroups and e-mails.
Execution
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).
Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this). After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.
The latest versions of the SubSeven backdoor drop a small starter program (usually WINDOS.EXE) and register it to be run when any EXE file is started in Windows. By doing this the backdoor ensures that its copy is always in the memory. For specific instructions of how to disinfect these versions please see the bottom of the page.
All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.
Activity
If the SubSeven backdoor task is being active in the memory (and invisible in Task Manager), it looks for TCP/IP connections and if they are established it listens to TCP/IP ports for commands from a client part.
Subseven also tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.
SubSeven's initial version had the following 113 capabilities:
Fun Manager
------------------
1. Open Web Browser to specified location.
2. Restart Windows.
3. Reverse Mouse buttons.
4. Hide Mouse Pointer.
5. Move Mouse.
6. Mouse Trail Config.
7. Set Volume.
8. Record Sound file from remote mic.
9. Change Windows Colors / Restore.
10. Hung up Internet Connection.
11. Change Time.
12. Change Date.
13. Change Screen resolution.
14. Hide Desktop Icons / Show
15. Hide Start Button / Show
16. Hide taskbar / Show
17. Opne CD-ROM Drive / Close
18. Beep computer Speaker / Stop
19. Turn Monitor Off / On
20. Disable CTRL+ALT+DEL / Enable
21. Turn on Scroll Lock / Off
22. Turn on Caps Locl / Off
23. Turn on Num Lock / Off
Connection Manager
-----------------------------
1. Connect / Disconnect
2. IP Scanner
3. IP Address book
4. Get Computer Name
5. Get User Name
6. Get Windows and System Folder Names
7. Get Computer Company
8. Get Windows Version
9. Get Windows Platform
10. Get Current Resolution
11. Get DirectX Version
12. Get Current Bytes per Pixel settings
13. Get CPU Vendor
14. Get CPU Speed
15. Get Hard Drive Size
16. Get Hard Drive Free Space
17. Change Server Port
18. Set Server Password
19. Update Server
20. Close Server
21. Remove Server
22. ICQ Pager Connection Notify
23. IRC Connection Notify
24. E-Mail Connection Notify
Keyboard Manager
--------------------------
1. Enable Key Logger / Disable
2. Open Key Logger in a remote Window
3. Clear the Key Logger Windows
4. Collect Keys pressed while Offline
5. Open Chat Victim + Controller
6. Open Chat among all connected
Controllers
--------------
1. Windows Pop-up Message Manager
2. Disable Keyboard
3. Send Keys to a remote Window
Misc. Manager
--------------------
1. Full Screen Capture
2. Continues Thumbnail Capture
3. Flip Screen
4. Open FTP Server
5. Find Files
6. Capture from Computer Camera
7. List Recorded Passwords
8. List Cached Passwords
9. Clear Password List
10. Registry Editor
11. Send Text ot Printer
File Manager
------------------
1. Show files/folders and navigate
2. List Drives
3. Execute Application
4. Enter Manual Command
5. Type path Manually
6. Download files
7. Upload files
8. Get File Size
9. Delete File
10. Play *.WAV
11. Set Wallpaper
12. Print *.TXT\*.RTF file
13. Show Image
Window Manager
------------------------
1. List visible windows
2. List All Active Applications
3. Focus on Window
4. Close Window
5. Disable X (close) button
6. Hide a Window from view.
7. Show a Hidden Window
8. Disable Window
9. Enable Disabled Window
Options Menu
--------------------
1. Set Quality of Full Screen Capture
2. Set Quality of Thumbnail Capture
3. Set Chat font size and Colors
4. Set Client's User Name
5. Set local 'Download' Directory
6. Set Quick Help
7. Set Client Skin
8. Set Fun Manager Skin
Edit Server
--------------
1. PreSet Target Port
2. PreSet server Password
3. Attach EXE File
4. PreSet filename after installation
5. PreSet Registry Key
6. PreSet Autostart Method:
Registry: Run
Registry: RunSevices
Win.ini
Less known method
7. PreSet Fake error message
8. PreSet Connection Notify Username
9. PreSet Connection Notify ICQ#
10. PreSet Connection Notify E-Mail
11. PreSet Connection Notify IRC Chan.
12. PreSet IRC Port
13. Change Server *.exe Icon