Written
as a full-featured, and well-organized computer program, a program called
Sub7 divulges all kinds of information about you, and your computer, to
IRC channels. Purportedly written by someone who goes by the name Mobman,
Sub7 has been cropping up all over the Internet for months. Sub7 is well
documented, supported by an online website, and is becoming increasingly
popular. On Thursday, June 2, Sub7 version 2.1 BONUS was released.
Sub7
can alter your registry settings, hijack your mouse, obtain your passwords,
obtain personal information, and perform numerous other cyber-invasions.
The infector who launches Sub7 can choose which IRC chat room to broadcast
your system and personal information on. The broadcasted information can
look something like the below logfile, depending upon which features the
infector invoked when launching Sub7:
| [17:10] ***
Joins: cwc |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _195.252.137.208_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10] ***
Quits: dt018 (Leaving_) |
| [17:10] ***
Joins: kwxqry |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _213.6.181.193_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _62.157.13.4_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _192.168.10.52_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10] ***
Joins: xakjbl |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _62.224.173.111_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _195.71.25.254_
- victim: _pechfregel_ - password: _rustE_ |
| [17:10]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _195.131.87.73_
- victim: _pechfregel_ - password: _rustE_ |
| [17:11]
Sub7Server v._2.1_ installed on port: _27374_, ip: |
| _62.224.200.40_
- victim: _pechfregel_ - password: _rustE_ |
A
variant of Sub7 is known as "Backdoor G."
Market
Impact
We expect Sub7 to continue to do extensive cyberdamage to large enterprises,
and to become more ubiquitous in the future. There is no sign that this
virus is under control. It is just a matter of time before it escalates
into a more serious and global problem.
Sub7
was not written by a so-called "script kiddie." It is a sophisticated
software program with a well-thought out user interface, that understands
how to do low-level TCP/IP scans and connections. Sub7 is designed to
notify the perpetrator through either ICQ or IRC channels that the victim
is online.
User
Recommendations
What can users and organizations do to protect themselves from Sub7? Some
of the leading Anti-Virus products do not protect against Sub7. However,
the anti-virus vendor that is furthest ahead of the Sub7 problem is F-Secure.
F-Secure's FSAV anti-virus product cleanly disinfects your system of Sub7
infector files. F-Secure, based in Finland, is one of the leading anti-virus
vendors, and their site describes the problems associated with Sub7 more
clearly than any other anti-virus vendor.
Second
to F-Secure are Trend Micro and Sophos. Trend's and Sophos' anti-virus
products will also rid your system of the invasive files. Both vendors
have a description of this process on their website, though it is not
quite as extensive as the description on the F-Secure site. At this time,
Symantec's site doesn't offer any information on Sub7.
Trend
Micro
http://www.antivirus.com/vinfo/security/sa052799.htm
F-Secure
http://www.europe.f-secure.com/v-descs/subseven.htm
Sophos
http://www.sophos.com/virusinfo/analyses/trojsubseven.html