SubSeven (1.9)
Server name: SubSeven
Version: 1.9
Different versions:  [1.0][1.1][1.2][1.3][1.4][1.5][1.6][1.7][1.8][1.9][Apocalypse][2.0][2.1][2.1 Bonus][2.1 Defcon][2.1 ICQ Fix][2.1 Gold][2.1 MUIE][2.2 beta 1][2.2 beta 2][2.2]
Tested: Yes, on Windows 95 and Windows NT
Server size: 327K
Server files: server.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: Yes, varies from Registry, System.ini, Win.ini
Default port: 1243 TCP
Can port be changed: Yes

Server Features

  • Change resolution 
  • Change server port 
  • Change time and date 
  • Change windows colors 
  • Disable keyboard 
  • Download/upload 
  • Edit registry 
  • File explorer 
  • Flip screen 
  • Get cached passwords 
  • Hangup modem 
  • Hide/move mouse 
  • Hide/show desktop/start button/taskbar 
  • ICQ Spy (Intercept ICQ msgs) 
  • ICQ/IRC/Email notify 
  • Info about computer 
  • Keylog 
  • Message manager 
  • Move mouse 
  • Open browser 
  • Open/close cdrom 
  • Play wav 
  • Print 
  • Print a txt file 
  • Record sound 
  • Scroll/nums/caps locks on/off 
  • Send keys 
  • Set volume 
  • Set volume 
  • Set wallpaper 
  • Show image 
  • Skin able client 
  • Start/stop speaker 
  • Update server 
  • View/disable x/show/hide/focus/close applications 
  • Webcam   

 
Comments 
SubSeven 1.9 comes with 2 new features. The first feature is its ICQ spy. This allows the "hacker" to intercept your ICQ messages. The other new feature it has is in the editserver program. The "hacker" can now add bytes onto the server file and the keystroke recorder. Other then that and changing the default filename for the trojan from kerne132.dl to mtmtask.dl nothing has changed.

Note: This is a trojan that can be submitted to us for analysis. We can possibly determine for you the password that was used and the ICQ UIN, Email or IRC channel that was being notified. For more information on submitting trojan files to us read here.

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Remove the KERNEL32 key in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
  2. Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explorer mtmtask.dl under [boot] to shell=Explorer.exe, this can be done with any text editing program. 
  3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=mtmtask.dl under [Windows], this can be done with any text editing program.
  4. Reboot the computer or close the trojan.
  5. Delete the trojan file mtmtask.dl in the windows directory.

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.