Backdoor.SubSeven is a Trojan Horse, similar to Netbus or Back Orifice. This Trojan enables unauthorized people to access your computer over the Internet without your knowledge.
When the server portion of the program runs on a computer, the individual who is remotely accessing the computer may be able to perform the following:
- Set it up as an FTP server
- Browse files on that system
- Take screen shots
- Capture real-time screen information
- Open and close programs
- Edit information in currently running programs
- Show pop-up messages and dialog boxes
- Hang up a dial-up connection
- Remotely restart a computer
- Open the CD-ROM
- Edit the registry information
When BackDoor.Subseven is run, it makes the following changes to the system:
- Drops (adds) a copy of itself and a randomly named executable file, such as Eutccec.exe, to the \Windows or \Windows\System folder.
- Adds the dropped file to the load= and run= lines of the Win.ini file.
- Adds the dropped filename to the shell=explorer.exe line of the System.ini file.
- Creates the WinLoader value and sets it equal to the dropped filename in the registry keys below.
- Modifies the (Default) value from "%1" %* to, for example, eutccec.exe "%1" %*, in the following registry keys:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":