McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Sub7

• SubSeven

Characteristics

This is a Windows 9x Internet Backdoor trojan. When running it gives virtually unlimited access to the system over the Internet to anyone running the appropriate client software.

This trojan installs 3 files on the system in WINDOWS and WINDOWS\SYSTEM.

NODLL.EXE - This exe is installed in WINDOWS folder. It is used to load the main trojan server. It is called from an entry in the 'run=' line of WIN.INI. This file is identified as BackDoor-G.ldr SERVER.EXE or KERNEL16.DL or WINDOW.EXE - This exe is installed in the WINDOWS folder. This file is the main trojan receives and carries out commands from the client software via the Internet. This file is identified as BackDoor-G.srv. This program is usually the first file that the user receives and contains copies of the other 2 files.

WATCHING.DLL or LMDRK_33.DLL - This dll is copied to the WINDOWS\SYSTEM folder. This file is used by the trojan server program to monitor the Internet for connections from the client software. This file is identified as "BackDoor-G.dll".

Other files associated with this trojan are the client program which is identified as "BackDoor-G.cli" and a configuration program which is identified as "BackDoor-G.cfg".

NOTE: The filenames given above are only a guide, as the configuration program can be used to change the names of the files used.

Symptoms

Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.

Method of Infection

The trojan hooks into the host operating system in one or more of 4 different ways:

1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.

2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.

3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.

The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.

Removal

The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Sub7

• SubSeven

Characteristics

Characteristics -

This is a Windows 9x Internet Backdoor trojan. When running it gives virtually unlimited access to the system over the Internet to anyone running the appropriate client software.

This trojan installs 3 files on the system in WINDOWS and WINDOWS\SYSTEM.

NODLL.EXE - This exe is installed in WINDOWS folder. It is used to load the main trojan server. It is called from an entry in the 'run=' line of WIN.INI. This file is identified as BackDoor-G.ldr SERVER.EXE or KERNEL16.DL or WINDOW.EXE - This exe is installed in the WINDOWS folder. This file is the main trojan receives and carries out commands from the client software via the Internet. This file is identified as BackDoor-G.srv. This program is usually the first file that the user receives and contains copies of the other 2 files.

WATCHING.DLL or LMDRK_33.DLL - This dll is copied to the WINDOWS\SYSTEM folder. This file is used by the trojan server program to monitor the Internet for connections from the client software. This file is identified as "BackDoor-G.dll".

Other files associated with this trojan are the client program which is identified as "BackDoor-G.cli" and a configuration program which is identified as "BackDoor-G.cfg".

NOTE: The filenames given above are only a guide, as the configuration program can be used to change the names of the files used.

Symptoms

Symptoms -

Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.

Method of Infection

Method of Infection -

The trojan hooks into the host operating system in one or more of 4 different ways:

1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.

2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.

3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.

The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.

Removal -

Removal -

The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM

Variants

Variants -

N/A