Backdoor.SubSeven

Printer Friendly Page

Discovered: June 06, 1999
Updated: February 13, 2007 11:50:13 AM
Type: Trojan Horse
Systems Affected: Windows


Backdoor.SubSeven is a Trojan Horse, similar to Netbus or Back Orifice, which enables unauthorized people to access your computer over the Internet without your knowledge.

In July 2003, Symantec Security Response received reports that an individual was sending email, which claims to be sent from Symantec, to get the recipient to download and execute this Trojan.

The email is in Spanish and has the following characteristics:

From: SymantecMexico[update@symantec.com]
Subject:
Urgente: Actualizacion Antivirus.

The email refers to the non-existent file, SU2003SystemAV, and may appear similar to the following illustration:




Symantec did not send this message, and you should delete it if you receive it.





How does the Trojan get on the computer?
SubSeven is usually sent as a program that you think you want. It almost always has a .exe extension and it will often be disguised as an installation program, such as Setup.exe. When this program runs, it will usually return a "Failed" error message, but it can sometimes do something, such as play a game or appear to install the software. We strongly recommend that you only install programs received from trusted sources.

How does someone else know that this threat is on the computer?
Backdoor.SubSeven can be configured to email your IP address and the port on which the server is running to the person who sent it to you. It can also send an alert through some messaging programs.

What are some of the symptoms of a computer that is infected with the Backdoor.SubSeven Trojan?
Any of the following symptoms will occur only while connected to the Internet:

  • CD-ROM drive opens at random times
  • Wave (.wav) files play for no reason
  • Strange dialog boxes appear
  • Internet downloads are slow
  • Files appear or disappear

NOTE: Virus definitions prior to July 10, 2001, may detect Winsys32.exe and Sys32.exe as Backdoor.Subseven.22.a.

Norton Internet Security/Norton Internet Protection users
If you are using either of these Symantec firewall programs, the name that the Trojan Block rule used to prevent the Trojan from being downloaded onto your computer is different than the name that Norton AntiVirus used to detect the same threat, if it were actually run on your computer or received in an email.

Norton Internet Security/Norton Internet Protection will block Backdoor.SubSeven from being downloaded onto your computer using the Block Rule Backdoor/SubSeven.

Antivirus Protection Dates

  • Initial Rapid Release version June 09, 1999
  • Latest Rapid Release version May 01, 2018 revision 033
  • Initial Daily Certified version June 09, 1999 revision 036
  • Latest Daily Certified version May 02, 2018 revision 003
  • Initial Weekly Certified release date June 09, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: George Koris

Discovered: June 06, 1999
Updated: February 13, 2007 11:50:13 AM
Type: Trojan Horse
Systems Affected: Windows


Backdoor.SubSeven is a Trojan Horse, similar to Netbus or Back Orifice. This Trojan enables unauthorized people to access your computer over the Internet without your knowledge.

When the server portion of the program runs on a computer, the individual who is remotely accessing the computer may be able to perform the following:

  • Set it up as an FTP server
  • Browse files on that system
  • Take screen shots
  • Capture real-time screen information
  • Open and close programs
  • Edit information in currently running programs
  • Show pop-up messages and dialog boxes
  • Hang up a dial-up connection
  • Remotely restart a computer
  • Open the CD-ROM
  • Edit the registry information

When BackDoor.Subseven is run, it makes the following changes to the system:
  • Drops (adds) a copy of itself and a randomly named executable file, such as Eutccec.exe, to the \Windows or \Windows\System folder.
  • Adds the dropped file to the load= and run= lines of the Win.ini file.
  • Adds the dropped filename to the shell=explorer.exe line of the System.ini file.
  • Creates the WinLoader value and sets it equal to the dropped filename in the registry keys below.
  • Modifies the (Default) value from "%1" %* to, for example, eutccec.exe "%1" %*, in the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: George Koris

Discovered: June 06, 1999
Updated: February 13, 2007 11:50:13 AM
Type: Trojan Horse
Systems Affected: Windows


To remove BackDoor.Subseven, follow these steps:

NOTE: These removal instructions are for versions of BackDoor.Subseven that Symantec Technical Support virus removal technicians are currently reviewing. The original version of BackDoor.Subseven did not have the random filename behavior and made different changes to the system.

Although Symantec Technical Support has not received reports in some time for the original version, with its somewhat different behavior, it is still possible that this threat exists, and that unprotected computers could be infected by it. If the information in this document does not fit your situation, then see the section at the end of the Removal Instructions section titled "Removal instructions for older versions of Backdoor.Subseven."

To remove Backdoor.Subseven, do the following:

  • Run LiveUpdate to make sure that you have the most recent definitions.
  • Run a full system scan, making sure that Norton AntiVirus is set to scan all the files.
  • Make a copy of the Regedit.exe file with the .com extension, if necessary.
  • Remove the references added to the Win.ini and System.ini files (Windows 95/98/Me computers).
  • Remove the references added to the Windows registry.

For detailed instructions, see the following sections:

NOTES:
  • The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.
  • This is a random-name file creator. We will use the example Eutccec.exe in this document. Substitute the randomly named file that you find on the system.

Running LiveUpdate and scanning with Norton AntiVirus
Run LiveUpdate, and then run a full system scan. Make sure that Norton AntiVirus is set to scan all the files.

NOTE: If you cannot do this because you cannot run the program files, first go to the section titled "Copying Regedit.exe to Regedit.com;" otherwise, skip to the section titled "Editing the registry and removing keys and changes made by the worm."

Copying Regedit.exe to Regedit.com
Because the worm modified the registry so that you cannot run the .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that.
  1. Do one of the following, depending on the operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and then click MS-DOS Prompt.
    • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
    • Windows NT/2000/XP users:
      1. Click Start, and then click Run.
      2. Type the following, and then press Enter:

        command

        A DOS window opens.

      3. Type the following, and then press Enter:

        cd \winnt

      4. Proceed to the next step.

  2. Type the following, and then press Enter:

    copy regedit.exe regedit.com

  3. Type the following, and then press Enter:

    start regedit.com

  4. Proceed to the section "Editing the registry and removing keys and changes made by the worm," only after you have completed the previous steps.

NOTES:
  • The Registry Editor will open in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, then close the DOS window as well.
  • After BackDoor.Subseven has been successfully removed, you can delete the Regedit.com file.


Editing the registry and removing keys and changes made by the worm

CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Make sure you modify the specified keys only. For more information about how to back up the registry, see the document, "How to back up the Windows registry ," before proceeding with the following steps. If you are unable to perform this, then do not proceed. Consult a qualified computer technician for more information.
  1. Start the Registry Editor, if necessary:
    • If you performed the procedures in the previous section, then the Registry Editor is already open. Skip to step 4.
    • If it was not necessary to perform the procedures in the previous section, then proceed to step 2.
  2. Click Start, and then click Run. (The Run dialog box appears.)
  3. Type regedit, and then click OK. (The Registry Editor opens.)
  4. Navigate to and open the following key:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    CAUTION: Do not inadvertently modify the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key can prevent the .exe files (program files) from running. Be sure to navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey, as shown in the following figure.




  5. Double-click the (Default) value in the right pane.
  6. Delete the current value data, and then type: "%1" %* (quote-percent-one-quote-space-percent-asterisk.)

    NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

    Make sure that you completely delete all the value data in the command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, then start over at the beginning of this document, making sure to completely remove the current value data.

  7. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  8. In the right pane, look under the Name column and delete any of the following values if you see them:

    WINLOADER
    Win32nt
    Win32.Bin
    WinCrypt
    WinProtect
    Win
    xTnow
    Ayespie
    PowerSaveMonitor
    rundll32
    winsys32.exe
    sys32.exe

    NOTE: Other values may appear, which are not on this list. Deleting the values from this location does not prevent the programs from running; it only prevents them from automatically starting when Windows starts.

  9. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices

  10. In the right pane, look under the Name column and delete any of the following values if you see them:


    WINLOADER
    Win32nt
    Win32.Bin
    WinProtect
    Win
    xTnow
    Ayespie
    PowerSaveMonitor
    rundll32

    NOTE: Other values may appear, which are not on this list. Deleting the values from this location does not prevent the programs from running; it only prevents them from automatically starting when Windows starts.

  11. Exit the Registry Editor.

Editing Windows startup files
This is only necessary if your operating system is Windows 95/98/Me.

NOTE For Windows Me users only : Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. We recommend that you delete this file before continuing with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane delete the Win.ini file. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
  1. Click Start, and then click Run.
  2. Type the following, and then click OK.

    edit c:\windows\win.ini

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

    CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan adds lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan). It may also modify the shell= statement, for example, to shell=explorer.exe pwrsvm.exe.

    If you are sure that the text contained in these lines is for programs that you normally use, then we suggest that you do not remove the lines. If you are not sure, but the text does not refer to the file names shown, then you can prevent the lines from loading by placing a semicolon in the first character position of the line.

    For example:

    ; run=accounts.exe
  3. Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.
  4. Position the cursor immediately to the right of the equal (=) sign.
  5. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
  6. Repeat steps 4 and 5 for the run= line, which is usually beneath the load= line.
  7. Close the Win.ini window, and click Yes when you are prompted to save the changes.
  8. Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.
  9. Position the cursor immediately to the right of explorer.exe.
  10. Press Shift+End to select all of the text to the right of explorer.exe, and then press Delete.
  11. Close the System.ini window, and click Yes when you are prompted to save the changes.

    NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
  12. Click File and then click Exit. Click Yes when prompted to save the changes.
  13. Click Start, point to Settings, and then click Control Panel.
  14. Double-click the Display icon.
  15. Click the Screen Saver tab, and then change the currently selected screen saver. If it is set to (None), then select any of the available screen savers. The important thing is that you make a change to the current setting.
  16. Click OK, and then close the Control Panel.

This completes the removal part of the process. Even if you did so previously, start Norton AntiVirus and run a full system scan. Delete any files found to be infected with Backdoor.Subseven. When finished, restart the computer.
    Removal instructions for older versions of Backdoor.SubSeven

    CAUTION: Follow these instructions only if the instructions in the previous sections did not remove the Trojan.

    To remove this Trojan, you need to do the following:
    1. Restart the computer in Safe mode.
    2. Remove the following registry key that the Trojan placed there:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Traylcon

    3. Restart in MS-DOS mode, and then delete the \Windows\Systemtrayicon.exe file.
    4. Restart Windows, and then rename the Watching.dll file.

    The details on each of these steps follows:

    Restarting the computer in Safe mode
    Before you edit the registry, you need to restart Windows in Safe mode. This can take several minutes.

    NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.
    • Windows 95:
      1. Exit all the programs.
      2. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears.
      3. Click Shut Down, and then click OK.
      4. Click Yes to confirm the shut down.
      5. Turn off the computer (if necessary) and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      6. Turn on the computer.
      7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
      8. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.

    • Windows 98:
      1. Click Start, and then click Run.
      2. Type msconfig, and then click OK. (The System Configuration Utility dialog box appears.)
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all the programs.
      6. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      7. Click Shut Down, and then click OK.
      8. Click Yes to confirm the shut down.
      9. Turn off the computer and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      10. Turn on the computer, and wait for the Windows 98 Startup menu.
      11. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.
    Editing the registry
    Follow these steps to remove the entry that the Trojan placed in the registry.

    CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Make sure to modify the specified keys only. See the document, "How to Back Up the Windows 95/98/NT Registry ," before proceeding.
    1. Click Start, and then click Run.
    2. Type regedit, and then press Enter.
    3. Navigate to and select the following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, select SystemTrayIcon, press Delete, and then click Yes to confirm.

      NOTES:
      • The program that runs from here can have different names. SystemTrayIcon is only one of the names that this program uses.
      • Make sure that you delete SystemTrayIcon, and not SystemTray (see the illustration below).




    5. Exit the Registry Editor.

    Restarting the computer in MS-DOS mode
    Follow these steps to restart the computer in MS-DOS mode:
    • Windows 95:
      1. Exit all the programs.
      2. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      3. Click Shut Down, and then click OK.
      4. Click Yes to confirm the shut down.
      5. Turn off the computer (if necessary) and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      6. Turn on the computer.
      7. When "Starting Windows 95..." appears on the screen, press F8. (The Windows 95 Startup Menu appears.)
      8. Press the number that corresponds to Safe mode Command Prompt Only, and then press Enter. Windows will start in Safe mode.
    • Windows 98:
      1. Click Start, and then click Run.
      2. Type msconfig, and then click OK. (The System Configuration Utility dialog box appears.)
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all the programs.
      6. Click Start, and then click Shut Down. (The Shut Down Windows dialog box appears.)
      7. Click Shut Down, and then click OK.
      8. Click Yes to confirm the shut down.
      9. Turn off the computer and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the Reset button.

      10. Turn on the computer, and wait for the Windows 98 Startup menu.
      11. Press the number that corresponds to Safe mode Command Prompt Only, and then press Enter. Windows will start in Safe mode.
    Deleting a file
    Follow these steps to delete the file that the Trojan placed on the computer:
    1. Type the following, and then press Enter:

      cd windows

    2. Type the following, and then press Enter:

      del systemtrayicon.exe

    3. To restart Windows, type the following, and then press Enter:

      exit

      After Windows restarts, proceed to the next section.
    Renaming a file
    Because there is a small possibility that the Watching.dll file could be a legitimate file that another program uses, we suggest that you follow these steps to rename it.
    1. Click Start, point to Find, and then click Files or Folders.
    2. In the Named box, type the following, and then click Find Now:

      Watching.dll

    3. In the results pane, right-click the file that was found (it should be in the \Windows\System folder), and then click Rename.
    4. Rename the file to Watching.bkp, and then press Enter.

      NOTE: If you are sure that a legitimate program, which you installed, is not using the file, then you can delete it.

    5. Close the Find Files dialog box.

    You have now removed the Backdoor.SubSeven Trojan.


    Writeup By: George Koris