Subseven 2.1 Bonus

SubSeven (2.1 Bonus)
Server name: SubSeven
Version: 2.1 Bonus
Different versions: [1.0][1.1][1.2][1.3][1.4][1.5][1.6][1.7][1.8][1.9][Apocalypse][2.0][2.1][2.1 Bonus][2.1 Defcon][2.1 ICQ Fix][2.1 Gold][2.1 MUIE][2.2 beta 1][2.2 beta 2][2.2]
Tested: Yes, on Windows 95 and Windows NT
Server size: 373K
Server files: server.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: Yes, varies from Registry, System.ini, Win.ini
Default port: 27374 TCP, ICQ Spy: 54283 TCP, Key Logger: 2773 TCP, Matrix: 7215 TCP
Can port be changed: Yes

Server Features

App redirect
Change icon of SubSeven server
Change resolution
Change server port
Change time and date
Change windows colors
Client can bypass all previous server's password protection
Clipboard viewer/editor
Compress/Decompress file before and after transfer
Disable keyboard
Download/upload
Edit File
Edit registry
File explorer
Flip screen
Get AIM/ICQ users and passwords
Get cached passwords
Get server home info(Address, name, phone number, etc..)
Hangup modem
Hide/move mouse
Hide/show desktop/start button/taskbar
ICQ Spy
ICQ Takeover
ICQ/IRC/Email notify
Info about computer
IP Scanner
IP Tool
IRC Bot
Keylog
Message manager
Microsoft Messenger Spy
Move mouse
Open browser
Open/close cdrom
Perform clicks on server's desktop
Ping server
Play wav
Print
Print a txt file
Process viewer
Record sound
Restart server
Scroll/nums/caps locks on/off
Send keys
Set volume
Set volume
Set wallpaper
Set/Change screen saver settings
Show image
Start/stop speaker
Text2Speech
The matrix(Black screen, green writing..)
Update server
View/disable x/show/hide/focus/close applications
Webcam
Yahoo Messenger Spy

Comments
SubSeven 2.1 Bonus fixed the following bugs: IRC bot, AIM spy, ICQ spy, and offline key logger. The 2.1 bonus client also included a password bypass feature. Any previous server could have it's password protection removed. However all new servers are immune to this feature.

Note: This is a trojan that can be submitted to us for analysis. We can possibly determine for you the password that was used and the ICQ UIN, Email or IRC channel that was being notified. For more information on submitting trojan files to us read here.

How To Remove
Quick fix: no quick fix programs
Manual removal:

Remove the Winloader key in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explore.exe some random name.exe. under [boot], to shell=explorer.exe. This can be done with any text editing program.
Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=some random name.exe under [Windows], this can be done with any text editing program.
Change the default value at HKEY_LOCAL_MACHINE\SOFTWARE\exefile\shell\open\command to nothing("").
Reboot the computer or close the trojan.
Delete the trojan file some random name.exe in the windows directory. .

Related
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page

Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved.
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal.
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.