SubSeven backdoor for Windows

backdoor-subseven (2245) The risk level is classified as HighHigh Risk

Description:

SubSeven is a powerful backdoor that is widely used against Windows systems. With recent versions, a remote attacker can do anything to a victim's computer that could be done locally. With the SubSeven backdoor, an attacker can do the following:

  • shut down or restart your computer
  • retrieve saved and cached passwords
  • modify your system registry
  • upload, download, and delete files from your system
  • intercept keyboard activity or take over the keyboard
  • view your current screen or webcam output
  • communicate to you or as you over various messaging systems

For these reasons, SubSeven should be immediately removed if discovered on your network.


Consequences:

Gain Access

Remedy:

The SubSeven backdoor can be very difficult to manually remove, because the executable is difficult to locate and identify on your system. Refer to the steps below for using an antivirus program to remove the backdoor.

To use an antivirus program to remove the SubSeven backdoor:

  1. If you do not have an antivirus program installed, download and install one of these virus scanners:
  2. Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the SubSeven backdoor from your computer.

References:

  • F-Secure Virus Definitions: SubSeven.
  • Internet Security Systems Security Alert #30: Windows Backdoor Update III.
  • CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
  • CVE-2000-0138: A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.

Platforms Affected:

  • Microsoft Windows 2000
  • Microsoft Windows 2003 Server
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows Me
  • Microsoft Windows NT 4.0
  • Microsoft Windows XP

Reported:

May 15, 1999

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page