Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » SubSeven.Trojan

Overview

Threat Risk MEDIUM MEDIUM
Destructivity NONE NONE
Payload
Detection files published
Description created 20 Aug 2000 03:00:00
Description updated 08 Nov 2001 02:28:00
Malware type TROJAN
Alias
Spreading mechanism EMAIL
IRC
NETWORK
Summary None

SubSeven.Trojan

Spreading

SubSeven is a backdoor trojan and is not able to replicate itself. Usually people get SubSeven via email or by downloading program files from the Internet. In addition to being one of the most advanced backdoor program SubSeven is also one of the most widely spread backdoor trojans.

Payload Details

n/a

Analysis

n/a

Removal

Removal of SubSeven has to be done manually. Note that all filenames in this description are default names used by the respectively versions of the SubSeven Trojan. To remove the trojan, perform a virus scan and make a notice of all infected files. The trojan can be configured to use any filenames, therefore you have to check each locations mentioned below for the file name detected by your anti-virus software. SubSeven v1.0-1.1 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\Systrayicon.exe by simply type the command: del c:\windows\systrayicon.exe Restart the computer and start Windows. Start Regedit (Start|Run and type 'regedit') go to HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run Delete the key SystemTrayIcon = "C:\Windows\SysTrayIcon.exe" SubSeven v.1.2-1.5 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\nodll.exe by simply type the command: del c:\windows\nodll.exe Restart the computer and start Windows. Double click the file c:\windows\win.ini to open it in a text editor. Replace the line 'run=nodll.exe' with 'Run=' Save and close the file SubSeven v1.6 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\Systrayicon.exe by simply type the command: del c:\windows\systray.exe Restart the computer and start Windows. Start Regedit (Start|Run and type 'regedit') Go to HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run Delete the key SystemTray = "SysTray.exe" SubSeven v1.7 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\kernel16.dl by simply type the command del c:\windows\kernel16.dl Restart the computer and start Windows. Start Regedit (Start|Run and type 'regedit') Go to HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\RunServices Delete the key Kernel16 = "kernel16.dl" SubSeven v1.8 Version 1.8 is the first SubSeven version that includes a configuration utility which can be used to modify how the server works. The default name and location of the Server part is c:\windows\kerne132.dl See instruction for SubSeven v2.1 for removal. SubSeven v1.9 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\kernel16.dl by simply type the command del c:\windows\rundll16.exe Restart the computer and start Windows. Start Regedit (Start|Run and type 'regedit'). Go to HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\ Windows\Microsoft\CurrentVersion\RunServices Delete the key RegistryScan = "rundll16.exe" SubSeven v2.0 Restart your computer in MS-DOS mode. (Start|Shutdown and select 'Restart the computer in MS-DOS mode'). Delete the file c:\windows\rundll16.exe by simply type the command del c:\windows\rundll16.exe Restart the computer and start Windows. Double click the file c:\windows\system.ini to open it in a text editor. Replace the line; shell = Explorer.exe RUNDLL16.exe with shell = Explorer.exe Save and close the file. SubSeven v2.1 SubSeven v2.1 can use four different methods to load itself. It can use one or more of the methods mention below. To remove check all the alternatives below: Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe Delete 'MSREXE.exe' from these lines. Open c:\windows\system.ini. Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe Run regedit.exe Go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices Delete any keys with the value; 'MSREXE.exe' Run Regedit.exe Go to HKEY_CLASSES_ROOT\exefile\shell\open\command If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*" Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.) By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded. A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program. Reboot the computer and delete all infected files. SubSeven v2.2 SubSeven v2.2 can use different methods to load itself. It can use one or more of the methods mention below. To remove check all the alternatives below: Run regedit.exe Go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices Delete any keys that refer to files detected by your Anti-Virus software. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command If the trojan use this method to load itself, the value in this key will typically be "WINDOS \"%1\" %*" Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.) By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded. A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program. Reboot the computer and delete all infected files. Open c:\windows\win.ini and look for the lines; run=xxx and load=xxx Where xxx refer to same filename as in point 1 above. Delete 'xxx' from these lines. Open c:\windows\system.ini. Replace the line; shell = Explorer.exe xxx with shell = Explorer.exe Reboot your computer.


Last Updated: 12 Nov 2015 11:06:10