| Port No | 27374 |
| Service Name | SubSeven |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | SubSeven 2.1 Bonus fixed the following bugs: IRC bot, AIM spy, ICQ spy, and offline key logger. The 2.1 bonus client also included a password bypass feature. Any previous server could have it's password protection removed. However all new servers are immune to this feature |
| Reference Link | SubSeven |
| Attack | Autoloads: varies from Registry, System.ini, Win.ini Features: App redirect Change icon of SubSeven server Change resolution Change server port Change time and date Change windows colors Client can bypass all previous server's password protection Clipboard viewer/editor Compress/Decompress file before and after transfer Disable keyboard Download/upload Edit File Edit registry File explorer Flip screen Get AIM/ICQ users and passwords Get cached passwords Get server home info(Address, name, phone number, etc..) Hangup modem Hide/move mouse Hide/show desktop/start button/taskbar ICQ Spy ICQ Takeover ICQ/IRC/Email notify Info about computer IP Scanner IP Tool IRC Bot Keylog Message manager Microsoft Messenger Spy Move mouse Open browser Open/close cdrom Perform clicks on server's desktop Ping server Play wav Print a txt file Process viewer Record sound Restart server Scroll/nums/caps locks on/off Send keys Set volume Set volume Set wallpaper Set/Change screen saver settings Show image Start/stop speaker Text2Speech The matrix(Black screen, green writing..) Update server View/disable x/show/hide/focus/close applications Webcam Yahoo Messenger Spy Fix: Remove the Winloader key in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program. Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explore.exe some random name.exe. under [boot], to shell=explorer.exe. This can be done with any text editing program. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=some random name.exe under [Windows], this can be done with any text editing program. Change the default value at HKEY_LOCAL_MACHINE\SOFTWARE\exefile\shell\open\command to nothing(""). Reboot the computer or close the trojan. Delete the trojan file some random name.exe in the windows directory |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.