| Port No | 6713 |
| Service Name | SubSeven |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Works on Windows 95, 98 and NT. From version 2.2 beta 2 also on NT, before only on 95 and 98. Version 2.1 can also be controlled via messages over IRC and ICQ. From 2.13 all file names are default names and can be changed. ˆ Source code is decompiled and available |
| Reference Link | |
| Attack | Registers: HLM\Software\Microsoft\Windows\CurrentVersion\Run\ HLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ HLM\SOFTWARE\exefile\shell\open\command Files: Subseven.exe - 308,224 bytes Subseven.exe - 312,320 bytes Subseven.exe - 381,440 bytes Subseven.exe - 388,096 bytes Subseven.exe - 428,469 bytes Subseven.exe - 623,104 bytes Subseven.exe - 624,128 bytes Sub7.exe - 468,992 bytes Sub7.exe - 479,232 bytes Sub7.exe - 491,520 bytes Sub7.exe - 493,056 bytes Sub7.exe - 519,680 bytes Server.exe - 250,368 bytes Server.exe - 251,904 bytes Server.exe - 333,547 bytes Server.exe - 335,237 bytes Server.exe - 335,799 bytes Server.exe - 336,867 bytes Server.exe - 336,934 bytes Server.exe - 342,042 bytes Server.exe - 352,287 bytes Server.exe - 380,835 bytes Server.exe - 382,371 bytes Server.exe - 385,858 bytes Server.exe - 867,840 bytes Editserver.exe - 186,368 bytes Editserver.exe - 195,584 bytes Editserver.exe - 221,184 bytes Editserver.exe - 303,802 bytes Editserver.exe - 404,992 bytes Editserver.exe - 484,352 bytes Systrayicon.exe - 768 bytes Systray.exe - 33,280 bytes Icqmapi.dll - 58,368 bytes Icqmapi.dll - 58,880 bytes Kerne1.exe - Kernel16.dl - Kernel32.dl - Explore.exe - Msrexe.exe - Mueexe.exe - Fueovs.exe - Uabmruua.exe - Windos.exe - Win32.exe - Nodll.exe - 32,768 bytes Nodll.exe - 33,230 bytes Subseven.ini - Skin.ini - 454 bytes Skin.ini - 464 bytes Skin.ini - 468 bytes Skin.ini - 481 bytes Rundll1.exe - Rundll16.exe - S7undetec.exe - 321,476 bytes Subpas1.cab - 1,312,768 bytes Subpas2.cab - 145,273 bytes Setup.exe - 140,800 bytes Ssetup.exe - 140,800 bytes Setup.lst - 3,656 bytes Ssetup.lst - 3,656 bytes Task_bar.exe - Mvokh_32.dll - Favpnmcfee.dll - Watching.dll - Run.exe - 11,371 bytes Sub7bonus.exe - Wandows.com - Actions: Remote Access / ICQ trojan / IRC trojan Alters System.ini and Win.ini. The program "Mirc56freezer.exe" is in some cases infected with SubSeven 1.8. There are secret masterpasswords hidden in SubSeven, at least in versions 1.9 and 2.1. At least one file is compressed by the packer UPX 0.72. Pending on what functions you add to the server, the size of it will also change! With more than 100 "features" is one of the more powerful of all Remote Access Trojans(RATs). |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.