Home
 > Research and Reports > TEC Blog > Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the ...

Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle

Written By: Laura Taylor
Published On: June 29 2000

Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle
L. Taylor - June 29, 2000


 
Event Summary

Written as a full-featured, and well-organized computer program, a program called Sub7 divulges all kinds of information about you, and your computer, to IRC channels. Purportedly written by someone who goes by the name Mobman, Sub7 has been cropping up all over the Internet for months. Sub7 is well documented, supported by an online website, and is becoming increasingly popular. On Thursday, June 2, Sub7 version 2.1 BONUS was released.

Sub7 can alter your registry settings, hijack your mouse, obtain your passwords, obtain personal information, and perform numerous other cyber-invasions. The infector who launches Sub7 can choose which IRC chat room to broadcast your system and personal information on. The broadcasted information can look something like the below logfile, depending upon which features the infector invoked when launching Sub7:

[17:10] *** Joins: cwc
[17:10] Sub7Server v._2.1_ installed on port: _27374_, ip:
_195.252.137.208_ - victim: _pechfregel_ - password: _rustE_
[17:10] *** Quits: dt018 (Leaving_)
[17:10] *** Joins: kwxqry
[17:10] Sub7Server v._2.1_ installed on port: _27374_, ip:
_213.6.181.193_ - victim: _pechfregel_ - password: _rustE_
[17:10] Sub7Server v._2.1_ installed on port: _27374_, ip:
_62.157.13.4_ - victim: _pechfregel_ - password: _rustE_
[17:10]

Sub7Server v._2.1_ installed on port: _27374_, ip:

_192.168.10.52_ - victim: _pechfregel_ - password: _rustE_
[17:10] *** Joins: xakjbl
[17:10] Sub7Server v._2.1_ installed on port: _27374_, ip:
_62.224.173.111_ - victim: _pechfregel_ - password: _rustE_
[17:10]

Sub7Server v._2.1_ installed on port: _27374_, ip:

_195.71.25.254_ - victim: _pechfregel_ - password: _rustE_
[17:10] Sub7Server v._2.1_ installed on port: _27374_, ip:
_195.131.87.73_ - victim: _pechfregel_ - password: _rustE_
[17:11] Sub7Server v._2.1_ installed on port: _27374_, ip:
_62.224.200.40_ - victim: _pechfregel_ - password: _rustE_

A variant of Sub7 is known as "Backdoor G."

Market Impact

We expect Sub7 to continue to do extensive cyberdamage to large enterprises, and to become more ubiquitous in the future. There is no sign that this virus is under control. It is just a matter of time before it escalates into a more serious and global problem.

Sub7 was not written by a so-called "script kiddie." It is a sophisticated software program with a well-thought out user interface, that understands how to do low-level TCP/IP scans and connections. Sub7 is designed to notify the perpetrator through either ICQ or IRC channels that the victim is online.

User Recommendations

What can users and organizations do to protect themselves from Sub7? Some of the leading Anti-Virus products do not protect against Sub7. However, the anti-virus vendor that is furthest ahead of the Sub7 problem is F-Secure. F-Secure's FSAV anti-virus product cleanly disinfects your system of Sub7 infector files. F-Secure, based in Finland, is one of the leading anti-virus vendors, and their site describes the problems associated with Sub7 more clearly than any other anti-virus vendor.

Second to F-Secure are Trend Micro and Sophos. Trend's and Sophos' anti-virus products will also rid your system of the invasive files. Both vendors have a description of this process on their website, though it is not quite as extensive as the description on the F-Secure site. At this time, Symantec's site doesn't offer any information on Sub7.

Trend Micro
http://www.antivirus.com/vinfo/security/sa052799.htm

F-Secure
http://www.europe.f-secure.com/v-descs/subseven.htm

Sophos
http://www.sophos.com/virusinfo/analyses/trojsubseven.html

 
comments powered by Disqus

Recent Searches
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Others

©2014 Technology Evaluation Centers Inc. All rights reserved.