Name: Subseven 2.2 beta

 

Main: server.exe 54.5 KB (55,882 bytes)

 

Keys: Keys added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\yehdwibj

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC

 

Values added: 11

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Fhofrira.2.2\freire2.rkr"

Type: REG_BINARY

Data: A5, 00, 00, 00, 06, 00, 00, 00, 80, 5B, 6B, 07, EF, 4A, C1, 01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\yehdwibj "StubPath"

Type: REG_SZ

Data: C:\WINDOWS\SYSTEM\yehdwibj.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC " ⼦"

Type: REG_SZ

Data: }h

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC " ⼦"

Type: REG_SZ

Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC " ⺡"

Type: REG_SZ

Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC " ޹"

Type: REG_SZ

Data: }wddg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC "æ"

Type: REG_SZ

Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC "Ӹ"

Type: REG_SZ

Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC "ϯ"

Type: REG_SZ

Data:  fykhZWtmϨ˴٫TAW   ި܌v~wdd~DA>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC "ϲ"

Type: REG_SZ

Data: } șfb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "RunDLL32"

Type: REG_SZ

Data: C:\WINDOWS\SYSTEM\fsayc.exe

 

Values changed: 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

Old type: REG_BINARY

New type: REG_BINARY

Old data: A5, 00, 00, 00, 6E, 18, 00, 00, 20, 18, 71, F0, EE, 4A, C1, 01

New data: A5, 00, 00, 00, 6F, 18, 00, 00, 80, 5B, 6B, 07, EF, 4A, C1, 01

 

Version: 2.2 beta

 

Type: remote access trojan

 

Port/s used: 27374 tcp

 

Files: c:\WINDOWS\SYSTEM\fsayc.exe Size: 55,882 bytes

c:\WINDOWS\SYSTEM\yehdwibj.exe Size: 55,882 bytes*

*These files have a random name, and each infection will be different

 

Modifies: c:\WINDOWS\SERVICES

Old size: 6,007 bytes

New size: 6,007 bytes

c:\windows\system.ini, [boot] "shell"

Old value: Explorer.exe

New value: Explorer.exe C:\WINDOWS\SYSTEM\fsayc.exe *

*This file has a random name, and each infection will be different

 

Aliases: none

 

Behaviour: Once executed, the trojan server will run in stealth, listening on port 27374. If configured, the server may also log the infected computer into an irc channel, and/or send an icq pager message to the hacker with the victims ip, and the port that the server is listening on.

 

Removal: This version can be very difficult to remove; it is strongly advised to use an anti trojan program to remove it. The removal instructions below may not effectively remove all infections; the trojan server is very configurable and has many infection routines.

 

Open up regedit (click start, go to run and type regedit, then hit ok), when regedit has opened, follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

Look for a strangely named key around 8 characters long. Double click on the key and then open up the "StubPath" value. Copy down the file name and path the data points to then delete the whole key.

 

Using regedit still, follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENC

Right click on the ENC key, and choose delete.

 

Keep regedit open, and follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Double click on the "RunDLL32" value, and copy down the file name and path the data points to then delete the "RunDLL32" value.

 

Open up system.ini (click start, go to run and type system.ini. then hit ok).

Look for a line that reads

shell=Explorer.exe random.exe*, delete the random.exe part, so it now reads shell=Explorer.exe only. Close system.ini and choose save changes. Reboot. *

*The random.exe refers to the file previously noted down from the "RunDLL32" value.

 

When windows has rebooted, delete the files as noted down in the previous steps.

 

Special: This version of subseven can be very difficult to remove and to detect by virus scanners.

Author: mobman

 

Notes: Subseven has been labelled as one of the most advanced trojans ever coded. The creator of this trojan is constantly working on newer versions that are more advanced. Subseven is easy to use and can convert a novice into a potentially dangerous "hacker", because of this, subseven is very widespread.

Mobman honed his coding skills on the previous versions and from 2.1 onwards, subseven has become a tight and extremely well coded trojan.