1. /
  2. Security Response/
  3. Backdoor.SubSeven

Backdoor.SubSeven

Risk Level 1: Very Low

Discovered:
June 6, 1999
Updated:
February 13, 2007 11:50:13 AM
Type:
Trojan Horse
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Backdoor.SubSeven is a Trojan Horse, similar to Netbus or Back Orifice, which enables unauthorized people to access your computer over the Internet without your knowledge.

In July 2003, Symantec Security Response received reports that an individual was sending email, which claims to be sent from Symantec, to get the recipient to download and execute this Trojan.

The email is in Spanish and has the following characteristics:

From: SymantecMexico[update@symantec.com]
Subject:
Urgente: Actualizacion Antivirus.

The email refers to the non-existent file, SU2003SystemAV, and may appear similar to the following illustration:




Symantec did not send this message, and you should delete it if you receive it.





How does the Trojan get on the computer?
SubSeven is usually sent as a program that you think you want. It almost always has a .exe extension and it will often be disguised as an installation program, such as Setup.exe. When this program runs, it will usually return a "Failed" error message, but it can sometimes do something, such as play a game or appear to install the software. We strongly recommend that you only install programs received from trusted sources.

How does someone else know that this threat is on the computer?
Backdoor.SubSeven can be configured to email your IP address and the port on which the server is running to the person who sent it to you. It can also send an alert through some messaging programs.

What are some of the symptoms of a computer that is infected with the Backdoor.SubSeven Trojan?
Any of the following symptoms will occur only while connected to the Internet:
  • CD-ROM drive opens at random times
  • Wave (.wav) files play for no reason
  • Strange dialog boxes appear
  • Internet downloads are slow
  • Files appear or disappear

NOTE: Virus definitions prior to July 10, 2001, may detect Winsys32.exe and Sys32.exe as Backdoor.Subseven.22.a.

Norton Internet Security/Norton Internet Protection users
If you are using either of these Symantec firewall programs, the name that the Trojan Block rule used to prevent the Trojan from being downloaded onto your computer is different than the name that Norton AntiVirus used to detect the same threat, if it were actually run on your computer or received in an email.

Norton Internet Security/Norton Internet Protection will block Backdoor.SubSeven from being downloaded onto your computer using the Block Rule Backdoor/SubSeven.

Antivirus Protection Dates

  • Initial Rapid Release version June 9, 1999
  • Latest Rapid Release version November 24, 2014 revision 034
  • Initial Daily Certified version June 9, 1999 revision 036
  • Latest Daily Certified version November 30, 2014 revision 001
  • Initial Weekly Certified release date June 9, 1999
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Low
Writeup By: George Koris

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver