Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:
Type:Trojan 
Size:varied 
Origin:Holland 
Date:08-22-2000 
Damage: 
VDF Version:  
Danger:High 
Distribution:Low 

Technical DetailsSubSeven is a backdoor program (such as NetBus, Back Orifice etc), which gives a hacker access to a system. The program consists in a Server and a Client program that can be remotely used on computer networks. Using the client, the hacker can invade a system infected by the Server (this is the Trojan). The new versions of SubSeven are also provided with an Editserver that helps in making different Server entries.

So, an infected system can be totally controlled using the Client. Until now, the following versions are known:
1. SubSeven Version 1.0 - 1.4
2. SubSeven Version 1.5
3. SubSeven Version 1.6
4. SubSeven Version 1.7
5. SubSeven Version 1.8
6. SubSeven Version 1.9 and SubSeven Apocalypse
7. SubSeven Version 2.0 - 2.2

1. SubSeven Version 1.0 - 1.4

When activated, the Server copies the virus in Windows. It also makes the following registry entry in win.ini, to ensure that the system start will activate the virus:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

In WIN.INI the entry can be found under "load=" or "run=". Unfortunately, the name of the copy is not standard, but in version 1.0-1.4 it is usually named "Systrayicon.exe", "window.exe" or "nodll.exe".

Removing:

First delete the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

and if possible the win.ini entry under "load=" or "run=". Then restart Windows and delete the file "Systrayicon.exe", "window.exe" or "nodll.exe" from the Windows folder.

2. SubSeven Version 1.5

For the autostart function, it only needs the Win.ini file. The entry is under "run=".

Removing:

First delete the entry "run=kerne132.dl nodll" from Win.ini and then restart Windows. Then delete the Trojan files "window.exe", "nodll.exe" and "winduh.dat" from the Windows folder.

3. SubSeven Version 1.6

SubSeven version 1.6 uses only the registry for the autostart function. The entry is

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

and is named "Kernel16".

Removing:

First delete the above mentioned registry entry and restart Windows. Then delete the files "SysTray.exe", "imdrki_33.dll", "pddt.dat" and "rundll16.com" from Windows System (usually c:\windows\system).

4. SubSeven Version 1.7

This is the first version provided with "Editserver", which makes the removing more difficult, because the hacker can easily alter the Server.

Removing:

First delete the "Kernel16" registry entry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

and restart Windows. Then delete the files "kernel16.dl" in Windows and "watching.dll" in Windows System (usually c:\windows\system).

5. SubSeven Version 1.8

This version has a more developed "Editserver", which gives the hacker more
possibilities. Thus, the name or the infection spreading can be chosen. The infection can be done in 4 ways:
a. System.ini
b. Win.ini
c. Registry-Run
d. Registry-RunServices

Removing:

Considering that the infection is done in only one of the four ways, you must first find the entry used by the virus. So you must either:

a. modify the entry "shell=Explorer.exe kerne132.dl" from System.ini into
"shell=Explorer.exe",
b. delete the entry "run=kerne132.dl" from Win.ini,
c. remove the Registry-Key "Kernel32" (here might be eventually another name that you should note) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or
d. remove the Registry-Key "Kernel32" (maybe with another name) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.

Then restart the computer and delete the files "kerne132.dl" in Windows and
"MVOKH_32.dll" in Windows System. If according to c) or d) you found another name used for "kernel32.dll", delete the respective file.

6. SubSeven Version 1.9 und SubSeven Apocalypse

These versions are similar to version 1.8, except for the name of the file originally copied by the Server. There are also 4 ways of infection:
a. System.ini
b. Win.ini
c. Registry-Run
d. Registry-RunServices

Removing:

Considering that the infection is done in only one of the four ways, you must first find the entry used by the virus. So you must either:

e. modify the entry "shell=Explorer.exe mtmtask.dl" from System.ini into
"shell=Explorer.exe",
f. delete the entry "run= mtmtask.dl" from Win.ini,
g. remove the Registry-Key "Kernel32" (here might be eventually another name that you should note) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or
h. remove the Registry-Key "Kernel32" (maybe with another name) under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.

Then restart the computer and delete the file "mtmtask.dl" in Windows. If according to c) or d) you found another name used for "mtmtask.dl", delete the respective file.

7. SubSeven Version 2.0 - 2.2

Usually this version creates a file named MSREXE.exe in Windows. The server hides its virus under this name. Still, any name could be used. New to version 2.0 is the fact that the Server does not allow to be deleted and no application (*.exe) will be accessed. After deleting the Server, Windows too can't be started. Thus, the removing of SubSeven is more difficult.

Removing:

Delete first the registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Mark the entries in Win.ini under "load=" or "run=" and in System.ini under
shell=Explorer.exe (usually MSREXE.exe) and then remove them.

Now the following entry must be checked:
HKEY_CLASSES_ROOT\exefile\shell\open\command

The value should be "%1" %* (standard value). If there are also entries for Windos.exe", "run.exe" or another executable file, mark the name and place of the entry back to the standard value "%1" %*.

Restart Windows and delete the files "Windos.exe", "run.exe" or the file with the name entered in the registry. Finally the Server (usually MSREXE.exe) from Windows must be deleted.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .