1. /
  2. Security Response/
  3. Backdoor.SubSeven

Backdoor.SubSeven - Removal

Risk Level 1: Very Low

Discovered:
June 6, 1999
Updated:
February 13, 2007 11:50:13 AM
Type:
Trojan Horse
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

To remove BackDoor.Subseven, follow these steps:

NOTE: These removal instructions are for versions of BackDoor.Subseven that Symantec Technical Support virus removal technicians are currently reviewing. The original version of BackDoor.Subseven did not have the random filename behavior and made different changes to the system.

Although Symantec Technical Support has not received reports in some time for the original version, with its somewhat different behavior, it is still possible that this threat exists, and that unprotected computers could be infected by it. If the information in this document does not fit your situation, then see the section at the end of the Removal Instructions section titled "Removal instructions for older versions of Backdoor.Subseven."

To remove Backdoor.Subseven, do the following:
  • Run LiveUpdate to make sure that you have the most recent definitions.
  • Run a full system scan, making sure that Norton AntiVirus is set to scan all the files.
  • Make a copy of the Regedit.exe file with the .com extension, if necessary.
  • Remove the references added to the Win.ini and System.ini files (Windows 95/98/Me computers).
  • Remove the references added to the Windows registry.

For detailed instructions, see the following sections:

NOTES:
  • The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.
  • This is a random-name file creator. We will use the example Eutccec.exe in this document. Substitute the randomly named file that you find on the system.

Running LiveUpdate and scanning with Norton AntiVirus
Run LiveUpdate, and then run a full system scan. Make sure that Norton AntiVirus is set to scan all the files.

NOTE: If you cannot do this because you cannot run the program files, first go to the section titled "Copying Regedit.exe to Regedit.com;" otherwise, skip to the section titled "Editing the registry and removing keys and changes made by the worm."

Copying Regedit.exe to Regedit.com
Because the worm modified the registry so that you cannot run the .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that.
  1. Do one of the following, depending on the operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and then click MS-DOS Prompt.
    • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
    • Windows NT/2000/XP users:
      1. Click Start, and then click Run.
      2. Type the following, and then press Enter:

        command

        A DOS window opens.

      3. Type the following, and then press Enter:

        cd \winnt

      4. Proceed to the next step.

  2. Type the following, and then press Enter:

    copy regedit.exe regedit.com

  3. Type the following, and then press Enter:

    start regedit.com

  4. Proceed to the section "Editing the registry and removing keys and changes made by the worm," only after you have completed the previous steps.

NOTES:
  • The Registry Editor will open in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, then close the DOS window as well.
  • After BackDoor.Subseven has been successfully removed, you can delete the Regedit.com file.


Editing the registry and removing keys and changes made by the worm

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Make sure you modify the specified keys only. For more information about how to back up the registry, see the document, "How to back up the Windows registry," before proceeding with the following steps. If you are unable to perform this, then do not proceed. Consult a qualified computer technician for more information.
  1. Start the Registry Editor, if necessary:
    • If you performed the procedures in the previous section, then the Registry Editor is already open. Skip to step 4.
    • If it was not necessary to perform the procedures in the previous section, then proceed to step 2.
  2. Click Start, and then click Run. (The Run dialog box appears.)
  3. Type regedit, and then click OK. (The Registry Editor opens.)
  4. Navigate to and open the following key:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    CAUTION: Do not inadvertently modify the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key can prevent the .exe files (program files) from running. Be sure to navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey, as shown in the following figure.




  5. Double-click the (Default) value in the right pane.
  6. Delete the current value data, and then type: "%1" %* (quote-percent-one-quote-space-percent-asterisk.)

    NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

    Make sure that you completely delete all the value data in the command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, then start over at the beginning of this document, making sure to completely remove the current value data.

  7. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  8. In the right pane, look under the Name column and delete any of the following values if you see them:

    WINLOADER
    Win32nt
    Win32.Bin
    WinCrypt
    WinProtect
    Win
    xTnow
    Ayespie
    PowerSaveMonitor
    rundll32

    winsys32.exe
    sys32.exe

    NOTE: Other values may appear, which are not on this list. Deleting the values from this location does not prevent the programs from running; it only prevents them from automatically starting when Windows starts.

  9. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices


  10. In the right pane, look under the Name column and delete any of the following values if you see them:


    WINLOADER
    Win32nt
    Win32.Bin
    WinProtect
    Win
    xTnow
    Ayespie
    PowerSaveMonitor

    rundll32

    NOTE: Other values may appear, which are not on this list. Deleting the values from this location does not prevent the programs from running; it only prevents them from automatically starting when Windows starts.

  11. Exit the Registry Editor.

Editing Windows startup files
This is only necessary if your operating system is Windows 95/98/Me.

NOTE For Windows Me users only: Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. We recommend that you delete this file before continuing with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane delete the Win.ini file. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
  1. Click Start, and then click Run.
  2. Type the following, and then click OK.

    edit c:\windows\win.ini

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

    CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan adds lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan). It may also modify the shell= statement, for example, to shell=explorer.exe pwrsvm.exe.

    If you are sure that the text contained in these lines is for programs that you normally use, then we suggest that you do not remove the lines. If you are not sure, but the text does not refer to the file names shown, then you can prevent the lines from loading by placing a semicolon in the first character position of the line.

    For example:

    ; run=accounts.exe

  3. Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.
  4. Position the cursor immediately to the right of the equal (=) sign.
  5. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
  6. Repeat steps 4 and 5 for the run= line, which is usually beneath the load= line.
  7. Close the Win.ini window, and click Yes when you are prompted to save the changes.
  8. Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.
  9. Position the cursor immediately to the right of explorer.exe.
  10. Press Shift+End to select all of the text to the right of explorer.exe, and then press Delete.
  11. Close the System.ini window, and click Yes when you are prompted to save the changes.

    NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
  12. Click File and then click Exit. Click Yes when prompted to save the changes.
  13. Click Start, point to Settings, and then click Control Panel.
  14. Double-click the Display icon.
  15. Click the Screen Saver tab, and then change the currently selected screen saver. If it is set to (None), then select any of the available screen savers. The important thing is that you make a change to the current setting.
  16. Click OK, and then close the Control Panel.

This completes the removal part of the process. Even if you did so previously, start Norton AntiVirus and run a full system scan. Delete any files found to be infected with Backdoor.Subseven. When finished, restart the computer.
    Removal instructions for older versions of Backdoor.SubSeven

    CAUTION: Follow these instructions only if the instructions in the previous sections did not remove the Trojan.

    To remove this Trojan, you need to do the following:
    1. Restart the computer in Safe mode.
    2. Remove the following registry key that the Trojan placed there:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Traylcon

    3. Restart in MS-DOS mode, and then delete the \Windows\Systemtrayicon.exe file.
    4. Restart Windows, and then rename the Watching.dll file.

    The details on each of these steps follows:

    Restarting the computer in Safe mode
    Before you edit the registry, you need to restart Windows in Safe mode. This can take several minutes.

    NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.
    • Windows 95:
      1. Exit all the programs.
      2. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears.
      3. Click Shut Down, and then click OK.
      4. Click Yes to confirm the shut down.
      5. Turn off the computer (if necessary) and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      6. Turn on the computer.
      7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
      8. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.

    • Windows 98:
      1. Click Start, and then click Run.
      2. Type msconfig, and then click OK. (The System Configuration Utility dialog box appears.)
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all the programs.
      6. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      7. Click Shut Down, and then click OK.
      8. Click Yes to confirm the shut down.
      9. Turn off the computer and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      10. Turn on the computer, and wait for the Windows 98 Startup menu.
      11. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.
    Editing the registry
    Follow these steps to remove the entry that the Trojan placed in the registry.

    CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Make sure to modify the specified keys only. See the document, "How to Back Up the Windows 95/98/NT Registry," before proceeding.
    1. Click Start, and then click Run.
    2. Type regedit, and then press Enter.
    3. Navigate to and select the following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, select SystemTrayIcon, press Delete, and then click Yes to confirm.

      NOTES:
      • The program that runs from here can have different names. SystemTrayIcon is only one of the names that this program uses.
      • Make sure that you delete SystemTrayIcon, and not SystemTray (see the illustration below).




    5. Exit the Registry Editor.

    Restarting the computer in MS-DOS mode
    Follow these steps to restart the computer in MS-DOS mode:
    • Windows 95:
      1. Exit all the programs.
      2. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      3. Click Shut Down, and then click OK.
      4. Click Yes to confirm the shut down.
      5. Turn off the computer (if necessary) and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      6. Turn on the computer.
      7. When "Starting Windows 95..." appears on the screen, press F8. (The Windows 95 Startup Menu appears.)
      8. Press the number that corresponds to Safe mode Command Prompt Only, and then press Enter. Windows will start in Safe mode.
    • Windows 98:
      1. Click Start, and then click Run.
      2. Type msconfig, and then click OK. (The System Configuration Utility dialog box appears.)
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all the programs.
      6. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      7. Click Shut Down, and then click OK.
      8. Click Yes to confirm the shut down.
      9. Turn off the computer and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      10. Turn on the computer, and wait for the Windows 98 Startup menu.
      11. Press the number that corresponds to Safe mode Command Prompt Only, and then press Enter. Windows will start in Safe mode.
    Deleting a file
    Follow these steps to delete the file that the Trojan placed on the computer:
    1. Type the following, and then press Enter:

      cd windows

    2. Type the following, and then press Enter:

      del systemtrayicon.exe

    3. To restart Windows, type the following, and then press Enter:

      exit

      After Windows restarts, proceed to the next section.
    Renaming a file
    Because there is a small possibility that the Watching.dll file could be a legitimate file that another program uses, we suggest that you follow these steps to rename it.
    1. Click Start, point to Find, and then click Files or Folders.
    2. In the Named box, type the following, and then click Find Now:

      Watching.dll

    3. In the results pane, right-click the file that was found (it should be in the \Windows\System folder), and then click Rename.
    4. Rename the file to Watching.bkp, and then press Enter.

      NOTE: If you are sure that a legitimate program, which you installed, is not using the file, then you can delete it.

    5. Close the Find Files dialog box.

    You have now removed the Backdoor.SubSeven Trojan.


    Writeup By: George Koris

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report, Volume 17
    Symantec DeepSight Screensaver