1. Symantec/
  2. Security Response/
  3. Backdoor.SubSeven


Risk Level 1: Very Low

June 6, 1999
February 13, 2007 11:50:13 AM
Trojan Horse
Systems Affected:

Backdoor.SubSeven is a Trojan Horse, similar to Netbus or Back Orifice, which enables unauthorized people to access your computer over the Internet without your knowledge.

In July 2003, Symantec Security Response received reports that an individual was sending email, which claims to be sent from Symantec, to get the recipient to download and execute this Trojan.

The email is in Spanish and has the following characteristics:

From: SymantecMexico[update@symantec.com]
Urgente: Actualizacion Antivirus.

The email refers to the non-existent file, SU2003SystemAV, and may appear similar to the following illustration:

Symantec did not send this message, and you should delete it if you receive it.

How does the Trojan get on the computer?
SubSeven is usually sent as a program that you think you want. It almost always has a .exe extension and it will often be disguised as an installation program, such as Setup.exe. When this program runs, it will usually return a "Failed" error message, but it can sometimes do something, such as play a game or appear to install the software. We strongly recommend that you only install programs received from trusted sources.

How does someone else know that this threat is on the computer?
Backdoor.SubSeven can be configured to email your IP address and the port on which the server is running to the person who sent it to you. It can also send an alert through some messaging programs.

What are some of the symptoms of a computer that is infected with the Backdoor.SubSeven Trojan?
Any of the following symptoms will occur only while connected to the Internet:
  • CD-ROM drive opens at random times
  • Wave (.wav) files play for no reason
  • Strange dialog boxes appear
  • Internet downloads are slow
  • Files appear or disappear

NOTE: Virus definitions prior to July 10, 2001, may detect Winsys32.exe and Sys32.exe as Backdoor.Subseven.22.a.

Norton Internet Security/Norton Internet Protection users
If you are using either of these Symantec firewall programs, the name that the Trojan Block rule used to prevent the Trojan from being downloaded onto your computer is different than the name that Norton AntiVirus used to detect the same threat, if it were actually run on your computer or received in an email.

Norton Internet Security/Norton Internet Protection will block Backdoor.SubSeven from being downloaded onto your computer using the Block Rule Backdoor/SubSeven.

Antivirus Protection Dates

  • Initial Rapid Release version June 9, 1999
  • Latest Rapid Release version January 21, 2018 revision 022
  • Initial Daily Certified version June 9, 1999 revision 036
  • Latest Daily Certified version January 22, 2018 revision 002
  • Initial Weekly Certified release date June 9, 1999
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: George Koris

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube