Subseven 2.0

SubSeven (2.0)
Server name: SubSeven
Version: 2.0
Different versions: [1.0][1.1][1.2][1.3][1.4][1.5][1.6][1.7][1.8][1.9][Apocalypse][2.0][2.1][2.1 Bonus][2.1 Defcon][2.1 ICQ Fix][2.1 Gold][2.1 MUIE][2.2 beta 1][2.2 beta 2][2.2]
Tested: Yes, on Windows 95 and Windows NT
Server size: 328K
Server files: server.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: Yes, varies from Registry, System.ini, Win.ini
Default port: 1243 TCP, ICQ Spy: 54283 TCP, Key Logger: 2773 TCP, Matrix: 7215 TCP
Can port be changed: Yes

Server Features

App redirect
Change resolution
Change server port
Change time and date
Change windows colors
Compress/Decompress file before and after transfer
Disable keyboard
Download/upload
Edit File
Edit registry
File explorer
Flip screen
Get AIM/ICQ users and passwords
Get cached passwords
Get server home info(Address, name, phone number, etc..)
Hangup modem
Hide/move mouse
Hide/show desktop/start button/taskbar
ICQ Spy
ICQ/IRC/Email notify
Info about computer
IP Scanner
IP Tool
Keylog
Message manager
Microsoft Messenger Spy
Move mouse
Open browser
Open/close cdrom
Perform clicks on server's desktop
Ping server
Play wav
Print
Print a txt file
Record sound
Restart server
Scroll/nums/caps locks on/off
Send keys
Set volume
Set volume
Set wallpaper
Set/Change screen saver settings
Show image
Start/stop speaker
The matrix(Black screen, green writing..)
Update server
View/disable x/show/hide/focus/close applications
Webcam
Yahoo Messenger Spy

Comments
SubSeven 2.0 fixes various bugs from the previous version. This version does have a lot of new features. It can now intercept ICQ, AIM and Microsoft Messenger messages. Plus it can steal ICQ and AIM accounts. The EditServer has changed into a wizard type program. It now can lock the password and port so they can't be changed, melt the server (delete the original file), and lock the configurations with a password so they can't be read by another person. That last feature of locking passwords can be easily defeated.

Note: This is a trojan that can be submitted to us for analysis. We can possibly determine for you the password that was used and the ICQ UIN, Email or IRC channel that was being notified. For more information on submitting trojan files to us read here.

How To Remove
Quick fix: no quick fix programs
Manual removal:

Remove the KERNEL32 key in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explorer mtmtask.dl under [boot] to shell=Explorer.exe, this can be done with any text editing program.
Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=mtmtask.dl under [Windows], this can be done with any text editing program.
Change the default value at HKEY_CLASSES_ROOT\exefile\shell\open\command to nothing("").
Reboot the computer or close the trojan.
Delete the trojan file mtmtask.dl in the windows directory. Do note that SubSeven does make some registry modifications but they do not appear to be important and need not to be changed.

Related
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page

Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved.
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal.
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.