Backdoor/SubSeven - Comcast.net
17 January 2004, 05:55 PM
#1
Scooby Regular
Thread Starter
Join Date: Jun 2003
Location: use the Marauder's Map to find out.
Posts: 2,041
Likes: 0
Received 0 Likes
on
0 Posts
A few questions.
The most common attack that Norton Firewall reports is "Backdoor/SubSeven Trojan". What is Backdoor/SubSeven and what does it do? What are people trying to achieve by using this?
Also, bearing in mind the number of ISPs around the world it strikes me as suspicious that several recent attacks have originated from comcast.net IP addresses. Any thoughts, opinions or ideas about Comcast?
Doug
The most common attack that Norton Firewall reports is "Backdoor/SubSeven Trojan". What is Backdoor/SubSeven and what does it do? What are people trying to achieve by using this?
Also, bearing in mind the number of ISPs around the world it strikes me as suspicious that several recent attacks have originated from comcast.net IP addresses. Any thoughts, opinions or ideas about Comcast?
Doug
17 January 2004, 06:40 PM
#2
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
Here you go
SubSeven is a Windows 9x Internet Backdoor trojan. When running it gives virtually unlimited access to the system over the Internet to anyone running the appropriate client software.
This trojan installs 3 files on the system in WINDOWS and WINDOWS\SYSTEM.
NODLL.EXE - This exe is installed in WINDOWS folder. It is used to load the main trojan server. It is called from an entry in the 'run=' line of WIN.INI. This file is identified as BackDoor-G.ldr SERVER.EXE or KERNEL16.DL or WINDOW.EXE - This exe is installed in the WINDOWS folder. This file is the main trojan receives and carries out commands from the client software via the Internet. This file is identified as BackDoor-G.srv. This program is usually the first file that the user receives and contains copies of the other 2 files.
WATCHING.DLL or LMDRK_33.DLL - This dll is copied to the WINDOWS\SYSTEM folder. This file is used by the trojan server program to monitor the Internet for connections from the client software. This file is identified as "BackDoor-G.dll".
Other files associated with this trojan are the client program which is identified as "BackDoor-G.cli" and a configuration program which is identified as "BackDoor-G.cfg".
NOTE: The filenames given above are only a guide, as the configuration program can be used to change the names of the files used.
Symptoms
Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.
Top of Page
Method Of Infection
The trojan hooks into the host operating system in one or more of 4 different ways:
1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.
2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.
3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\
4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Defa ult)
from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.
The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.
Removal Instructions
The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.
One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.
To repair the registry via a registry script file, download this UNDO.REG file, and open it.
--- Manual Removal Instructions ---
1) Identify and note the files associated with this trojan as detected by the scanner.
2) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
3) Click START|RUN, type REGEDIT.COM and hit ENTER
4) Remove references to the trojan from these keys of the registry
HKCR\exefile\shell\open\command\
HKLM\Software\CLASSES\exefile\
shell\open\command
They should contain only the value not including brackets
[''%1'' %*].
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\KeyName\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.
SubSeven is a Windows 9x Internet Backdoor trojan. When running it gives virtually unlimited access to the system over the Internet to anyone running the appropriate client software.
This trojan installs 3 files on the system in WINDOWS and WINDOWS\SYSTEM.
NODLL.EXE - This exe is installed in WINDOWS folder. It is used to load the main trojan server. It is called from an entry in the 'run=' line of WIN.INI. This file is identified as BackDoor-G.ldr SERVER.EXE or KERNEL16.DL or WINDOW.EXE - This exe is installed in the WINDOWS folder. This file is the main trojan receives and carries out commands from the client software via the Internet. This file is identified as BackDoor-G.srv. This program is usually the first file that the user receives and contains copies of the other 2 files.
WATCHING.DLL or LMDRK_33.DLL - This dll is copied to the WINDOWS\SYSTEM folder. This file is used by the trojan server program to monitor the Internet for connections from the client software. This file is identified as "BackDoor-G.dll".
Other files associated with this trojan are the client program which is identified as "BackDoor-G.cli" and a configuration program which is identified as "BackDoor-G.cfg".
NOTE: The filenames given above are only a guide, as the configuration program can be used to change the names of the files used.
Symptoms
Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.
Top of Page
Method Of Infection
The trojan hooks into the host operating system in one or more of 4 different ways:
1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.
2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.
3) Adds the main server exe file to the registry under the keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\
4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Defa ult)
from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.
The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.
Removal Instructions
The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.
One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.
To repair the registry via a registry script file, download this UNDO.REG file, and open it.
--- Manual Removal Instructions ---
1) Identify and note the files associated with this trojan as detected by the scanner.
2) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
3) Click START|RUN, type REGEDIT.COM and hit ENTER
4) Remove references to the trojan from these keys of the registry
HKCR\exefile\shell\open\command\
HKLM\Software\CLASSES\exefile\
shell\open\command
They should contain only the value not including brackets
[''%1'' %*].
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\KeyName\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.
17 January 2004, 06:43 PM
#3
Scooby Regular
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes
on
0 Posts
Ahhh i remember a few years ago when everyone was infected with this, and not many people had firewalls.
You used to be able to scan ips for people infected and nip onto their machine and download cool stuff.
I once had to edit some1's autoexec.bat to have format in it (with echo y) because they had a load of paedo **** on their pc
Andy
You used to be able to scan ips for people infected and nip onto their machine and download cool stuff.
I once had to edit some1's autoexec.bat to have format in it (with echo y) because they had a load of paedo **** on their pc
Andy
Thread
Thread Starter
Forum
Replies
Last Post