McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-G2

• BackDoor-G2.svr

• BackDoor-G2.svr.gen

• BackDoor-G22.svr

• BackDoor-Sub7.svr

• BackDoor.IRC.Mata (AVP)

• BackDoor.PolyDrop

• Backdoor.Subseven.22.a (NAV)

• BackDoor/SubSeven2.2 (CAI)

• Badman Trojan

• Serbian Badman Trojan

• Sub7 v2.x

• SubSeven v2.0

• SubSeven v2.1

• SubSeven v2.1 Gold

• SubSeven v2.12

• SubSeven v2.13

• SubSeven v2.2 Beta

• Troj.Sub7 (Panda)

• Troj_Sub7.22.d (Trend)

• TROJ_SUB7.MUIE

• Troj_Sub7.v20 (Trend)

• Trojan.PSW.Pet.e (AVP)

• TSB Trojan

Characteristics

Note: If Vshield detects BackDoor-Sub7.svr active on your system, choose "Clean" instead of "Delete". "Delete" will try to perform a plain deletion, while "Clean" will close the trojan process if it is running, delete the trojan file, and remove the trojan autostart entries from win.ini, system.ini, and the registry.

Update March 1, 2003:
Sub7 Legends 2.15 was published today. Because of our generic techniques, no update is required to detect and remove the server portion of this new variant

Update March 12, 2001:
Sub7 2.2 Beta was published by the Trojan author on March 9, 2001. McAfee AVERT has added detection for this edition of the Trojan in 4128 DAT.

This is a trojan which has been consistently updated by the author. With each revision, updates if needed, are added to the DAT files. Version "Sub7 2.13" may be detected as BackDoor-EP by 4076 DAT however future DAT will identify as "BackDoor-Sub7.svr".

This trojan is the result of further development of the BackDoor-Sub7 trojan (v1.0 - v2.13) and offers the usual access to the users files and data on his system via the Internet.

By default the Trojan uses TCP port 27374, but this is configurable by the configuration program.

It is normally distributed as a Win32 PE exe dropper that may be disguised as a JPG or BMP picture. When run, this dropper installs two files into the WINDOWS folder of the user's hard disk. These two files are the main server exe files, normally called "MSREXE.EXE", and a loader program normally called "RUN.EXE", "WINDOS.EXE" or "MUEEXE.EXE".

These filenames are only the default names and can be changed by the trojan's configuration program. The main server exe file is identified as "BackDoor-Sub7.svr". The loader program is identified as "BackDoor-Sub7.ldr".

Two other files are associated with this trojan the configuration program and the client program used to communicate with the main server program. These are identified as BackDoor-Sub7.cfg and BackDoor-Sub7.cli respectively. These files do not hook the operating system and may be safely deleted if detected on the system.

Symptoms

Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.

Method of Infection

The trojan hooks into the host operating system in one or more of 4 different ways:

1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.

2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.

3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\

4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\
(Default)

from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.

The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.

Removal

The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM

Variants

Variants

• Sub7 Defcon8 2.1
• Sub7 2.2 Beta

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-G2

• BackDoor-G2.svr

• BackDoor-G2.svr.gen

• BackDoor-G22.svr

• BackDoor-Sub7.svr

• BackDoor.IRC.Mata (AVP)

• BackDoor.PolyDrop

• Backdoor.Subseven.22.a (NAV)

• BackDoor/SubSeven2.2 (CAI)

• Badman Trojan

• Serbian Badman Trojan

• Sub7 v2.x

• SubSeven v2.0

• SubSeven v2.1

• SubSeven v2.1 Gold

• SubSeven v2.12

• SubSeven v2.13

• SubSeven v2.2 Beta

• Troj.Sub7 (Panda)

• Troj_Sub7.22.d (Trend)

• TROJ_SUB7.MUIE

• Troj_Sub7.v20 (Trend)

• Trojan.PSW.Pet.e (AVP)

• TSB Trojan

Characteristics

Characteristics -

Note: If Vshield detects BackDoor-Sub7.svr active on your system, choose "Clean" instead of "Delete". "Delete" will try to perform a plain deletion, while "Clean" will close the trojan process if it is running, delete the trojan file, and remove the trojan autostart entries from win.ini, system.ini, and the registry.

Update March 1, 2003:
Sub7 Legends 2.15 was published today. Because of our generic techniques, no update is required to detect and remove the server portion of this new variant

Update March 12, 2001:
Sub7 2.2 Beta was published by the Trojan author on March 9, 2001. McAfee AVERT has added detection for this edition of the Trojan in 4128 DAT.

This is a trojan which has been consistently updated by the author. With each revision, updates if needed, are added to the DAT files. Version "Sub7 2.13" may be detected as BackDoor-EP by 4076 DAT however future DAT will identify as "BackDoor-Sub7.svr".

This trojan is the result of further development of the BackDoor-Sub7 trojan (v1.0 - v2.13) and offers the usual access to the users files and data on his system via the Internet.

By default the Trojan uses TCP port 27374, but this is configurable by the configuration program.

It is normally distributed as a Win32 PE exe dropper that may be disguised as a JPG or BMP picture. When run, this dropper installs two files into the WINDOWS folder of the user's hard disk. These two files are the main server exe files, normally called "MSREXE.EXE", and a loader program normally called "RUN.EXE", "WINDOS.EXE" or "MUEEXE.EXE".

These filenames are only the default names and can be changed by the trojan's configuration program. The main server exe file is identified as "BackDoor-Sub7.svr". The loader program is identified as "BackDoor-Sub7.ldr".

Two other files are associated with this trojan the configuration program and the client program used to communicate with the main server program. These are identified as BackDoor-Sub7.cfg and BackDoor-Sub7.cli respectively. These files do not hook the operating system and may be safely deleted if detected on the system.

Symptoms

Symptoms -

Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.

Method of Infection

Method of Infection -

The trojan hooks into the host operating system in one or more of 4 different ways:

1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.

2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.

3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\

4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\
(Default)

from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.

The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.

Removal -

Removal -

The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM

Variants

Variants -

• Sub7 Defcon8 2.1
• Sub7 2.2 Beta