| Port No | 7215 |
| Service Name | SubSeven |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Works on Windows 95, 98 and NT. From version 2.2 beta 2 also on NT, before only on 95 and 98. Version 2.1 can also be controlled via messages over IRC and ICQ. From 2.13 all file names are default names and can be changed. ˆ Source code is decompiled and available. |
| Reference Link | SubSeven Trojan |
| Attack | It autoloads the Registry: HLM\Software\Microsoft\Windows\CurrentVersion\Run\ HLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ HLM\SOFTWARE\exefile\shell\open\command It does the following : 1.Remote Access 2. ICQ trojan 3. IRC trojan Alters System.ini and Win.ini. The program "Mirc56freezer.exe" is in some cases infected with SubSeven 1.8. There are secret masterpasswords hidden in SubSeven, at least in versions 1.9 and 2.1. At least one file is compressed by the packer UPX 0.72. Pending on what functions you add to the server, the size of it will also change! With more than 100 "features" is one of the more powerful of all Remote Access Trojans(RATs). |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.