Backdoor-G aka SubSeven v1.0

Backdoor-G aka SubSeven v1.0 - 2.1c Removal

The SubSeven Trojan has the exact same feature list as NetBus, with one original feature: The server can send the hacker your IP when you connect to the internet by either/any of email, IRC, or ICQ.

New with version 2.1, the Trojan can be controlled not only via the SubSeven client, but also by messages sent to the IRC or ICQ drones the Trojan makes. This makes SubSeven very versatile and easy to use from a hackers standpoint. Please see special 2.1 note attached at bottom!

This document has been separated into two sections. The first section "Information" will list the filenames, registry lines, and other information in a short format for each version of Subseven.
The next section titled "Removal" explains how to use that information to remove the Trojan from your system.

Unfortunately any and all settings sub7 can use are also editable by hackers.
The info below is for default settings only (i.e. if they didnt customize the Trojan.)
If any settings are changed by the hacker, there may be signifigant discrepancys in our information below (filenames may be different).

Information

V	Filename	Info.
1.0	C:\WINDOWS\SysTrayIcon.Exe	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run SystemTrayIcon = "C:\WINDOWS\SysTrayIcon.Exe"
1.1	C:\WINDOWS\SysTrayIcon.Exe	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run SystemTrayIcon = "C:\WINDOWS\SysTrayIcon.Exe"
1.3	c:\windows\nodll.exe	win.ini run=nodll
1.4	c:\windows\nodll.exe	win.ini run=nodll
1.5	c:\windows\nodll.exe (32,768 bytes)	win.ini run=nodll
1.6	c:\windows\systray.exe (33,280 bytes)	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run SystemTray = "SysTray.Exe"
1.7	c:\windows\kernel16.dl	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion RunServices Kernel16 = "kernel16.dl"
1.8	c:\windows\kerne132.dl	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion RunServices Run= win.ini Shell= System.ini. kerne132.dl
1.9	c:\windows\rundll16.exe	Registry line HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion RunServices RegistryScan = "rundll16.exe"
2.0	c:\windows\rundll16.exe	System.ini shell=explorer.exe -Trojan_name.exe Remove Trojan name from end, so line reads shell=explorer.exe
2.1 + 2.1c	c:\windows\nodll.exe	win.ini run=msrexe.exe !!See special note below!!

Removal.

Step 1.
Click Start > Run and type Sysedit.
Click on the SYSTEM.INI file and look at the "shell=Explorer.exe" line under the [boot] section. There shouldn't be anything to the right of it. However, if yours looks like "shell=Explorer.exe Task_Bar.exe", then Task_Bar.exe is the server portion of the trojan. Delete Task_Bar.exe from the line, save the change. Skip to the END.

Step 2.
Click Start > Run and type Sysedit.
Click on the WIN.INI file and look at the run= and load= lines under the [windows] section. Because it is common to have legitimate programs on either of these lines. You should look at the name of the file that appears on the line and compare it to those above. If you find one, delete it from the line, save the change. Skip to the END.

Step 3.
Click Start > Run and type Regedit.
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right window, look for a key that has a Value that loads one of the files listed above. If you don't find a file as listed above, it might mean that the server portion was renamed to something else. Files 'favpnmcfee.dll' (35kb), 'mvokh_32.dll' (35kb), 'nodll.exe' (35kb) and ''watching.dll' (35kb) are most used. Note the names of any suspicious files.

What you will need to do, is open Windows Explorer and go to the WINDOWS directory. Locate each of the suspicious files that were referenced within the right window of regedit. When you find the file that's 328Kb in size. You've probably found the renamed server portion of SubSeven.

Step 4.
Click Start > Run and type Regedit.
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Return to the registry and in the right window, highlight the key that loads the file and delete it (Right click and choose Delete.)

Step 5.
Exit the Registry and reboot your computer.

Step 6.
After the computer has restarted, open only Windows Explorer.

Step 7.
Go to the WINDOWS directory and look for the suspicious file. Once you've found the file, delete it.

Step 8.
Exit Windows Explorer.

Congratulations! SubSeven has been removed.

Sub7 v2.1 special note.

New to this version is another way to load the Trojan.
With All options to load ON, you should use the following checklist:

Win.ini (Labeled win.ini in setup/configure)

Start > Run and type Sysedit.
Click on the WIN.INI file and look at the run= under the [windows] section. At top, 'run=msrexe.exe' should be removed. This is the only load method on by default.delete it from the line. Save the change. Skip to the END.
Registry (Labeled Run and RunServices in setup/configure)

Start > Run and type Regedit.
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
each containing (default key name)'WinLoader' = MSREXE.EXE. Both of these should be deleted (Right click and choose Delete.)
System.ini (Labeled 'Less known method' in setup/configure)

Start > Run and type Sysedit.
Click on the SYSTEM.INI file and look at the "shell=Explorer.exe" line under the [boot] section. There shouldn't be anything to the right of it. However, if yours looks like "shell=Explorer.exe msrexe.exe", then 'msrexe.exe, should be changed to shell=explorer.exe (I.e. simply removing msrexe.exe from the end of the line.). Save the change. Skip to the END.
Registry (Labeled 'NOT known method' in setup/configure)

The last, and most cleverly hidden method, is now known.
Restart your computer in MS-DOS mode. All of the steps below will be carried out in DOS. You should be at a C:\WINDOWS prompt.
Any text in Bold means you should type it on the DOS line.
Make sure you are at the C:\WINDOWS prompt now.
rename windos.exe windos.___

This is the Trojan, and renaming it keeps windows from loading it again.
From this point on, windows cannot run .exe and .bat files.

You can either choose to perform a manual repair for your registry by following the instructions below or right click and download file sub7repair.reg to perform an automated repair. If you've chosen to download the file, make sure you save it into the root directorie of C:\ and skip instructions 7 & 8.
cd ..

Simply to move back one dir into C:\
On one line type:
regedit /e file.reg Hkey_classes_root\exefile\shell\open\command

This will export the registry key that needs to be edited, and place it in a file.
edit file.reg

Opens the file in your text editor.
In this file, look for the line that reads:
@="WINDOS \"%1\" %*"
And edit so it reads: (Take out WINDOS and the space after)
@="\"%1\" %*"
Save the file and exit edit.
regedit file.reg

This imports the edit you just made back into the registry.
exit

You will now be taken back to windows.
Verify that you can indeed run an .exe program, without Windows asking to find shell32. If Windows asks to find shell32, you will need to attempt these directions again.

Be sure to delete the C:\WINDOWS\WINDOS.___ file once removal is successful.

After a reboot, you will find two files in c:\windows\, one named MSREXE.EXE, the other WINDOS.EXE. You should delete both.

Also, new with 2.1 gold, there is a DLL left (used for key logging) which should be deleted as well, located in C:\windows\system\systray.dll

Source: HackFix
(File: sub7repair.reg by Mark W. Brouwer.)

Categories

Archives

Backdoor-G aka SubSeven v1.0 - 2.1c Removal

Sub7 v2.1 special note.

Advertising