Have you tried this site [hackfix.org] yet? It has a lot of info on SubSeven.

There's no loader in the registry?

Haven't seen any versions that don't use that. Got a copy of the registry?

DG

Hackfix only goes up to ver2. 2.2 is making the rounds now.

Strike that. Just saw 2.2 there. How is it phoning home? Email or ICQ?

DG

It's using an email phone home.

Just checked the recent versions on hackfix -- turned up none of those signs on my machine. Notably, nothing extra next to "shell=Explorer.exe" in my win.ini file.

Hackfix say that new versions of SubSeven have made the filenames fully customizable (how very user-friendly!) so the hunt has become very challenging. And now the thing is ready for plug-ins!!?

I wish those names weren't so innocent sounding - "trojan" and "virus" sound nothing like the malicious and destructive terrorism that they are.

Something (the only thing I know) is to check to see if there is a bot (we already know you have one). But test this tedster and tell me if it works.

In a dos box type :

c:>netstat -an ¦ find ":6667"

That is a "pipe" not an "L"

the second port to check is ":113"

BTW I have 3 different client who all have had multiple trojans and viri in the last month. Methinks it's html email.

What's it supposed to do? (I'm not much of a DOS guy.) I tried both, and pressing enter just brought me back to another identical DOS prompt.

Every thing about my system seems to be customized strangely, by the way. Sony VAIO stuff.

> Methinks it's html email.

Could very well be. I use Messenger, but haven't figured out how to disable the HTML.

Lots of increase in adult site spam the past couple weeks, and I hear that's a prime method of contagion.

Well, I'm stumped for now. I already gave the thing about 6 hours today and I can't afford that.

I'm going to try to catch the next alert the instant it happens and see if I can figure out what .exe kicked in the trojan - that should help me figure out where the bug is hiding.

I ran a full Norton System Works and now the thing won't trigger. Well, at least it can't really call home.

"what Norton says is impossible" that was tlsecurity, it also says it does it for version 2.0 no other version, you might consider reading the text on the pages too ;)

Might get you some answers :
[tlsecurity.net...]

Try these autostart methods, if your on Windows 9x, subseven injects itselfs into other processes Threads, you'll have to go to DOS and delete the executable there.

Toolman, what you do (netstat) there is checking IRC connections (irc 6667 and Ident 113) note that irc can run on every port you want it to run so it is useless anyways, in this particulat case that's of no use since Subseven doesnt create irc connections per se. You probably got these invaluable tips from Steve Gibson, unfortunately like most of his tips, they won't help anybody ;)

Are you on a 9.x or on a 2000/NT/XP system ?

If you are on 2000 or NT it cannot inject itself into other process memory, so it is much more easy to get rid of it.

>>>You probably got these invaluable tips from Steve Gibson

Drat. My one chance to look like a super geek and my cover gets blown.

>>>>Could very well be. I use Messenger, but haven't figured out how to disable the HTML.

I just redid my main design computer and this time I "allowed" email into the mix. I'm running a program called MailWasher.net to read the mail on the server and bounce the spam and then downloading the ok stuff into Eudora 3.06 - it doesn't do html. To complement reading .doc files and .xls if I have to I'm running OpenOffice.org.

The computer sings...I'm reasonably safe....there's no "bloated" software to slow things down with it's "hooks" into everything....I like it. But the real saving grace is to make a Ghost image of your fresh, clean new installation so in case something does go awry, you'll be back to a fresh start in 20 minutes. I'm gonna go start a new thread for that.

Tedster, if you are running other progs likely to access the web turn them off, maybe your firewall is blocking some other program and you don't have Sub7 present at all. The obvious to check would be Morpheous, WinMX, RealPlayer, AntiVirus auto updaters, software updaters, media player auto updaters, and any other auto "anythings" that might go to the web either for updates or a regular phone home to report on their life on your machine.

< But the real saving grace is to make a Ghost image of your fresh, clean new installation

A Ghost System drive is a must. I always have one within arms reach.

Thanks for the support. For now the little darlin' seems to be asleep - no mischief for hours. I don't feel like I really resolved the issue, but at least the computer is functioning.

I did get a 24-hour old Norton update - ran it, but didn't find anything new.

> if you are running other progs likely to access the web turn them off, maybe your firewall is blocking some other program and you don't have Sub7 present at all.

Yes, that sure could be. But I have configured rules for all the common stuff to either allow or permanently disallow the connection. If the program wakes up again, I will try something like what you suggest.

I got the name "SubSeven/backdoor" from the firewall alert. Maybe some other dude stole the name to piggyback his own hacking glory, and this isn't really SubSeven at all. I'm beginning to think that may be the case. Like digitalhost says, there's no loader in the registry.

Wow. This is kinda fun. I've been playing with netstat and found my own little bugger in my email machine over there. It's listening on different ports evertime I block the one it's on in the router and reboot.

Guess I'll have to reformat and get rid of Outlook once and for all. I've been meaning to as I suspect that some of these adult spams I've been getting as well as some of the other junk with the pop ups just might have some other purpose.

Maybe we should all test to see if we're part of the "next big thing" on the net. Here's my simple way of finding open ports:

In a dos box type: C:\WINDOWS>netstat

Wait and see what it reports back. ICQ and AIm and all that stuff should be shut down. Eliminate all the "legal" stuff and whatever is left may be questionable. Then type:

C:\WINDOWS>netstat -an ¦ find "xxxx"

where xxxx is the port you found open. This will tell you what the connection is doing.

If you're a pro at this step up and help.

For Windows 95,98 or ME users try Purge-it to get rid of some of these "tools" including spyware and alike.

Get it here :
[subsevenprotection.hypermart.net...]

Serial :
WebmasterWorld
531A-E20D-146B-89A8

Take it as a present, I own it :)

Thierry

There is a tiny program called CoolKill. It shows you every single program running on your computer, and where the process is running from. This allows you to 'kill' anything running on your computer, much better than Ctrl+Alt+Del.

Thanks to all for the support.

I still don't have it fixed, but I do have it boxed in and relatively non-problematic. The only ongoing difficulty is that whenever I use dial-up networking, the folder for my C drive opens automatically on the desktop.

It's like my own system is serving me a pop-up window!

There are a couple tools offered by Agnitum that you might want to try Ted.

One of them lets you know almost everything that is running on your computer and who you are connected to on what ports as well.

Another package is a heavy trojan detection tool.

Well, thanks to all your help, I'm pretty sure I have cleaned out the entire thing.

I still see my firewall blocking daily inbound attempts from it's Mom to make contact. But that's no biggie - just one swat and it goes away.

I'm chilled out about it now, unless I find the scripter that's responsible. I think I would go ballistic if I was ever face to face with someone like that. At the very least, they owe me two day's pay!

Thanks everyone.

Dude yur ghost is probably hiding under the name "RDm7.Dll as most trojans there dll.32 files wich is a undectable to virus scan dll wich we all know is a harmless win 32 file..... also look for the folder "SMP" foldermost likely check yur windows system folder and or c: drive and yur c:windows folder for "RDm7.DLL" now dont mistake the real dll win files with the trojan the trojan version will be close to "140 to 160 bytes and look at the date yur real windows version will be a much older date...hope i helped e-mail me at LirishL@hotmail.com i use to play with them undectable trojans with freinds way back...if infact yur infected you need to reformat if u cant find it will allow the user to enter any program into yur system easily..good luck bro!