Threat Descriptions

Backdoor:W32/SubSeven

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

Backdoor:W32/SubSeven, SubSeven, Backdoor.SubSeven

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Backdoor:W32/SubSeven is a backdoor program that allows a remote user to perform a large range of actions on the affected system.

The first samples of this backdoor were not packed, but later some packed versions appeared which were not easy to detect with contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking support.

SubSeven backdoor was first discovered in May, 1999. The backdoor is usually distributed under different names via newsgroups and emails.

Execution

When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).

Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this). After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.

The latest versions of the SubSeven backdoor drop a small starter program (usually WINDOS.EXE) and register it to be run when any EXE file is started in Windows. By doing this the backdoor ensures that its copy is always in the memory. For specific instructions of how to disinfect these versions please see the bottom of the page.

All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities - installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.

Activity

If the SubSeven backdoor task is being active in the memory (and invisible in Task Manager), it looks for TCP/IP connections and if they are established it listens to TCP/IP ports for commands from a client part.

Subseven also tries to use ICQ, IRC and different email accounts to notify the author that his victims are online.

SubSeven's initial version had the following 113 capabilities: 

 Fun Manager
 ------------------
 
1. Open Web Browser to specified location.
 
2. Restart Windows.
 
3. Reverse Mouse buttons.
 
4. Hide Mouse Pointer.
 
5. Move Mouse.
 
6. Mouse Trail Config.
 
7. Set Volume.
 
8. Record Sound file from remote mic.
 
9. Change Windows Colors / Restore.
 
10. Hung up Internet Connection.

11. Change Time.
 
12. Change Date.
 
13. Change Screen resolution.
 
14. Hide Desktop Icons / Show
 
15. Hide Start Button / Show
 
16. Hide taskbar / Show
 
17. Opne CD-ROM Drive / Close
 
18. Beep computer Speaker / Stop
 
19. Turn Monitor Off / On
 
20. Disable CTRL+ALT+DEL / Enable
 
21. Turn on Scroll Lock / Off
 
22. Turn on Caps Locl / Off
 
23. Turn on Num Lock / Off

 Connection Manager
 -----------------------------
 
1. Connect / Disconnect
 
2. IP Scanner
 
3. IP Address book
 
4. Get Computer Name
 
5. Get User Name
 
6. Get Windows and System Folder Names
 
7. Get Computer Company
 
8. Get Windows Version
 
9. Get Windows Platform
 
10. Get Current Resolution
 
11. Get DirectX Version
 
12. Get Current Bytes per Pixel settings
 
13. Get CPU Vendor
 
14. Get CPU Speed
 
15. Get Hard Drive Size
 
16. Get Hard Drive Free Space
 
17. Change Server Port
 
18. Set Server Password
 
19. Update Server
 
20. Close Server
 
21. Remove Server
 
22. ICQ Pager Connection Notify
 
23. IRC Connection Notify
 
24. email Connection Notify

 Keyboard Manager
 --------------------------
 
1. Enable Key Logger / Disable

2. Open Key Logger in a remote Window
 
3. Clear the Key Logger Windows
 
4. Collect Keys pressed while Offline
 
5. Open Chat Victim + Controller
 
6. Open Chat among all connected

 
Controllers
 --------------
 
1. Windows Pop-up Message Manager
 
2. Disable Keyboard
 
3. Send Keys to a remote Window

 
Misc. Manager
 --------------------
 
1. Full Screen Capture
 
2. Continues Thumbnail Capture
 
3. Flip Screen
 
4. Open FTP Server
 
5. Find Files
 
6. Capture from Computer Camera
 
7. List Recorded Passwords
 
8. List Cached Passwords
 
9. Clear Password List
 
10. Registry Editor
 
11. Send Text ot Printer

 File Manager
 ------------------
 
1. Show files/folders and navigate
 
2. List Drives
 
3. Execute Application
 
4. Enter Manual Command
 
5. Type path Manually
 
6. Download files
 
7. Upload files
 
8. Get File Size
 
9. Delete File
 
10. Play *.WAV
 
11. Set Wallpaper
 
12. Print *.TXT\*.RTF file
 
13. Show Image

 Window Manager
 ------------------------
 
1. List visible windows
 
2. List All Active Applications
 
3. Focus on Window
 
4. Close Window
 
5. Disable X (close) button
 
6. Hide a Window from view.
 
7. Show a Hidden Window
 
8. Disable Window
 
9. Enable Disabled Window

 Options Menu
 --------------------
 
1. Set Quality of Full Screen Capture
 
2. Set Quality of Thumbnail Capture
 
3. Set Chat font size and Colors
 
4. Set Client's User Name
 
5. Set local 'Download' Directory
 
6. Set Quick Help
 
7. Set Client Skin
 
8. Set Fun Manager Skin

 Edit Server
 --------------
 
1. PreSet Target Port
 
2. PreSet server Password
 
3. Attach EXE File
 
4. PreSet filename after installation
 
5. PreSet Registry Key
 
6. PreSet Autostart Method:
 Registry: Run
 Registry: RunSevices
 Win.ini
 Less known method
 
7. PreSet Fake error message
 
8. PreSet Connection Notify Username
 
9. PreSet Connection Notify ICQ#
 
10. PreSet Connection Notify email
 
11. PreSet Connection Notify IRC Chan.
 
12. PreSet IRC Port
 
13. Change Server *.exe Icon