SubSeven (2.1 GOLD)
Server name: SubSeven
Version: 2.1 Gold
Different versions:  [1.0][1.1][1.2][1.3][1.4][1.5][1.6][1.7][1.8][1.9][Apocalypse][2.0][2.1][2.1 Bonus][2.1 Defcon][2.1 ICQ Fix][2.1 Gold][2.1 MUIE][2.2 beta 1][2.2 beta 2][2.2]
Tested: Yes, on Windows 95 and Windows NT
Server size: 388K
Server files: server.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: Yes, varies from Registry, System.ini, Win.ini
Default port: 27374 TCP, ICQ Spy: 54283 TCP, Key Logger: 2773 TCP, Matrix: 7215 TCP
Can port be changed: Yes

Server Features

  • App redirect 
  • Change icon of SubSeven server 
  • Change resolution 
  • Change server port 
  • Change time and date 
  • Change windows colors 
  • Clipboard viewer/editor 
  • Compress/Decompress file before and after transfer 
  • Disable keyboard 
  • Download/upload 
  • Edit File 
  • Edit registry 
  • File explorer 
  • Flip screen 
  • Get AIM/ICQ users and passwords 
  • Get cached passwords 
  • Get server home info(Address, name, phone number, etc..) 
  • Hangup modem 
  • Hide/move mouse 
  • Hide/show desktop/start button/taskbar 
  • ICQ Spy 
  • ICQ Takeover 
  • ICQ/IRC/Email notify 
  • Info about computer 
  • IP Scanner 
  • IP Tool 
  • IRC Bot 
  • Keylog 
  • Message manager 
  • Microsoft Messenger Spy 
  • Move mouse 
  • Open browser 
  • Open/close cdrom 
  • Perform clicks on server's desktop 
  • Ping server 
  • Play wav 
  • Print 
  • Print a txt file 
  • Process viewer 
  • Record sound 
  • Restart server 
  • Scroll/nums/caps locks on/off 
  • Send keys 
  • Set volume 
  • Set volume 
  • Set wallpaper 
  • Set/Change screen saver settings 
  • Show image 
  • Start/stop speaker 
  • Text2Speech 
  • The matrix(Black screen, green writing..) 
  • Update server 
  • View/disable x/show/hide/focus/close applications 
  • Webcam 
  • Yahoo Messenger Spy   

SubSeven 2.1 Gold fixes many bugs from the previous versions. Other then bug fixes there is not much new in this version.

Note: This is a trojan that can be submitted to us for analysis. We can possibly determine for you the password that was used and the ICQ UIN, Email or IRC channel that was being notified. For more information on submitting trojan files to us read here.

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Remove the Winloader key in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
  2. Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explorer.exe MSREXE. under [boot], to shell=explorer.exe. This can be done with any text editing program. 
  3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=MSREXE.exe under [Windows], this can be done with any text editing program.
  4. Change the default value at HKEY_CLASSES_ROOT\exefile\shell\open\command to nothing("").
  5. Reboot the computer or close the trojan. 
  6. Delete the trojan file MSREXE.exe in the windows directory. Do note that SubSeven does make some registry modifications but they do not appear to be important and need not to be changed. 

Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.