SubSeven            Sub7       Backdoor-G

Backdoors    Trojans

 

 

A hundred times I warned my sons to not open any exe extension send through internet connection.
No problem we don't do it.
So one of my sons was online in a chat program downloading an execute file from a friend. When the exe was activated, nothing happened. After a while the printer was printing some text, funny stuff, CD-rom was opened and closed.
I know directly that a server patch was installed. Immediately a disconnection from the internet and searching for something.
File MSREXE.EXE was found in Windows\System.
File was moved to an other directory.
In WIN.INI a run=MSREXE.EXE was created.

Looking on the internet for information I found it was a SubSeven Backdoor tool, a trojan.

Name : Backdoor-G, Backdoor-G2.svr.21
Alias: Sub7, Subseven, Backdoor-G2, Backdoor-G2.gen, Backdoor-G2.svr.20, Subseven v2.0 , v2.1, v2.1 Gold
Variants: Backdoor-G, Backdoor-G.svr

It is a Windows 9x internet Backdoor trojan.
By default the trojan use TCP port 27374 but is configurable by the program. (Using a firewall you'll be surprised how many scans you have daily on that port.  Also on port 27374, 28431, 47624)
When running it gives unlimited access to the system ( your computer) to anyone running the appropriate client software. You are the server at that moment.
The trojan installs 3 files, in Windows and Windows\System.
The main exe is installed in the Windows folder
(NoName.exe, the filename can be changed by the Trojan's configuration program).
It is used to load the main trojan server.
This is found in the run line of WIN.INI Run= MSREXE.EXE
In HKEY_CLASSES_ROOT a key .dl was created.

Removal

On the Windows taskbar, click Start and then Run.
Type regedit (for W9x) or regedt32 (for Windows NT), enter
Modify the following Registry value, key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command\
In this key it should contain only this value "%1" %* and nothing else.
Change "mueexe.exe "%1" %*" to ""%1" %*"
Don't forget the space between " and %. ("%1"spacebar%*)
HKEY_CLASSES_ROOT\.dl
Delete this key ( directory), .dl is running like a .exe, is a created key (dir) by the trojan.
Delete Windows\System\MSREXE.exe file.
Edit WIN.INI and remove the run=line reference to the trojan (run=MSREXE.exe), mostly used by backdoors.

Optional check ?:

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete any keys that runs the main trojan
2. Edit SYSTEM.INI  and  remove the shell=line reference to the trojan. It should only contain the Explorer.exe file.
3.Check the C:\WINDOWS\START_MENU\PROGRAMS\STARTUP folder.
Server patch is installed here, delete it. Program was uploaded true FTP and tries to install itself the next time your start the computer.

4. Restart your computer.

Finished.

Depending the variant of the Backdoor-G, files could be created like:
NODLL.exe (main Trojan), RUN.exe, WINDOWS.exe, WINDOW.exe, SERVER.exe, KERNEL16.dl (.dl and not .dll),
WATCHING.dll or LMDRK_33.dll (in Windows\System),
MUEEXE.exe (mueexe.exe causes the operation system to run the load program every time an exe file is started),
Backdoor-G.dll (server program to monitor internet connections client),
BackDoor-G.cli and BackDoor-G.cfg (filenames can be changed)

For more info see at, not yet....in construction.

Save Computing : be suspicious of .exe, .shs, MS Word and MS Excel file attachments.

 

Don't move your cursor here
Why not ??     I said so.
Don't do it.

 

Text found on a site :
"Does your friend know that naughty programs like TROJANS do exist in this world ? If he doesn't know that , he 's a loser straight away. Configure your server , bind it with a game or some exe file and give it to him .He's sure gonna run it *LOL ;-) "
Note : There are programs that binds 2 exe to one exe. You start a game.exe and a second .exe is also started but you don't see it.  You get infected and become a server.  Nice isn't it.

Text found on a site :
"The computer will become a FTP server whenever he's online. So it acts as a backdoor for uploading new trojans even if you have lost access to his computer through your trojan. But you have to remember one thing that since this program opens up the victim's computer as a FTP server , he's open to the whole everybody who knows that his FTP port is open.
Another piece of information I would like to add is that this FTP Server opens up at default FTP port i.e Port 21 and there is NO Login/Password for it (I mean it automatically logs in as "Anonymous", you don't have to make any changes in your FTP Client) and you CANNOT change the PORT. So be very careful while using this unless you want the victim's computer to become a trojan playground."
Note : With this program you make the victim's computer a FTP server on Port 21.    Nice.

Get a firewall

 

Go to hack search engine Astalavista in my favorites.

 

Neworder. The resource for people to help avoid being hacked, security and exploiting related files and links.

See text file.

Download this full trial version from AVP (Anti Virus Protection), see at Trial Versions
Anti Virus Experts: Your First, Last, and Only Line of Defense

Anti Virus Experts, AVX 2000 Professional Evaluation, FULLY FUNCTIONAL for 30 days

 

Defend yourself, get a firewall.

Download the free firewall   Zone Alarm

mailto Michel Beyens

Netbus-BackOrifice | Sub7-SubSeven-Backdoor-G
Internet Explorer | email | Backdoors | PC | Macro Warning | Virus Warning

HomePage | Overview Pages
Calpe-Spain | Entertainment | Favorite | Hockey | Reefaquarium | Virus

Sign My Guestbook Go to GuestWorld Lycos View My Guestbook

Nedstat statistics on index page