[CTS] Fw: Threats to your Security on the Internet - SubSeven

Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Threats to your Security on the Internet - SubSevenReceived this from a
friend last evening... sorry if it's a repeat here.. but worth mentioning
again.

Tee

DesignWorks
Web Design and Hosting
http://www.dsgnworks.com
We Believe In Design That Works!


----- Original Message -----

To: DesignWorks
Sent: Wednesday, March 28, 2001 12:19 AM
Subject: Threats to your Security on the Internet - SubSeven


THIS IS THE NEWEST HACKER TOOL.  THEY CAN CONTROL EVERYTHING, AND I MEAN
EVERYTHING, ABOUT YOUR PC REMOTELY.  JUST THOUGHT YOU MIGHT WANT TO KNOW
ABOUT THIS ONE.  I SAW IT ON TV DAY BEFORE YESTERDAY.


The Basics of SubSeven (aka Sub7 or Backdoor_G)

SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and
can be a bit tricky to remove. This is because the server portion can be
configured to rerun itself automatically from any of four places each time
the system has been rebooted. The trojan also has two files that can be
configured with any name.

As mentioned above and although the server portion can have any name, it's
found in the WINDOWS directory, with one of the following:
"server.exe" (328kb)
"rundll16.exe" (328kb)
"systray.dl" (328kb)
"Task_bar.exe" (328kb)

The second file is found in the WINDOWS\SYSTEM directory, with one of the
following:
"FAVPNMCFEE.dll" (35kb)
"MVOKH_32.dll" (35kb)
"nodll.exe" (35kb)
"watching.dll" (35kb)

If you've encountered any names other than the above, please send me an  so
I can include them.

TCP Ports 6711 and 6776 are used by default, but there's a third TCP port
which is the port used in the establishment of the connection between the
"client" and "server". This third TCP port can be configured to be anything,
although it's commonly seen as TCP port 1243 or TCP port 1999 .

As mentioned above, the server portion of the trojan can be configured by
the hacker to rerun itself everytime the system is rebooted due to an entry
in one of the four locations. Provided below, are the four locations.

The first, is an entry on the "shell=" line in the SYSTEM.INI file.

The second, is an entry on the "load=" or "run=" line in the WIN.INI file.

The third, is under
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

The fourth, is under
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"

NOTE: Of the systems compromised with SubSeven, it's often found to be the
first location.


----------------------------------------------------------------------------
----


Who's Responsible?

SubSeven was written by an individual known as MobMan.

Here's a picture of what the "client" portion of the software looks like.



Provided below is a screenshot of information obtained by the client portion
after it attached to a PC that was compromised with the server portion. In
it, it reflects information about the compromised system.



Provided below is a screenshot of the "EditServer" utility. This is the
utility that allows the hacker to customize the "server" portion of the
trojan. After the server part of the trojan has been configured, it's sent
to the victim...




----------------------------------------------------------------------------
----


How to Remove SubSeven

Because the server portion of the SubSeven trojan can be configured to be
loaded automatically from one of four locations, you'll need to look at all
of the locations first. Keep in mind that several steps involve examining
and possibly editing the registry. Although the steps are relatively easy, I
cannot be held responsible if a mistake is made. Please use caution.

The first and second locations - The WIN.INI and SYSTEM.INI files

Step 1.
Click START | RUN
Type SYSEDIT and press ENTER

Step 2.
Click on the SYSTEM.INI file and look at the "shell=Explorere.exe" line
under the [boot] section. There shouldn't be anything to the right of it.
However, if yours looks like "shell=Explorer.exe Task_Bar.exe", then
Task_Bar.exe is the server portion of the trojan.

Delete Task_Bar.exe from the line, save the change. Skip to the END.

Step 3.
Click on the WIN.INI file and look at the run= and load= lines under the
[windows] section. Because it is common to have legitimate programs on
either of these lines. You should look at the name of the file that appears
on the line and compare it to those above.

If you find one, delete it from the line, save the change. Skip to the END


The third and fourth locations - The Registry

Step 1.
Click START | RUN
Type REGEDIT and press ENTER

Step 2.
In the left window, click the "+" (plus sign) to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Step 3.
In the right window, look for a key that has a Value that loads one of the
files listed above. If you don't find a file as listed above, it might mean
that the server portion was renamed to something else. Note the names of any
suspicious files.

What you will need to do, is open Windows Explorer and go to the WINDOWS
directory. Locate each of the suspicious files that were referenced within
the right window of regedit. When you find the file that's 328Kb in size.
You've probably found the renamed server portion of SubSeven.

Step 4.
Return to the registry and in the right window, highlight the key that loads
the file and hit the DELETE key. Answer YES to delete the entry.

Step 5.
Exit the Registry and reboot your computer.

Step 6.
After the computer has restarted, open Windows Explorer

Step 7.
Go to the WINDOWS directory and look for the suspicios file. Once you've
found the file, DELETE it.

Step 8.
Exit Windows Explorer.

Congratulations! SubSeven has been removed.








---------------------------------------------------------------------------
-----
Computer Talk Shop
To un-subscribe, http://questforcertification.com/cts/unsubscribe.htm

List HowTo: http://questforcertification.com/cts/faq

To join Computer Talk Shop's off topic list, please goto:
http://questforcertification.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------

Other related posts: