SubSeven Trojan

Ok, someone was real sneaky with me, someone I thought I could trust, guess I can't now. Well he sent me a file, it had a Flash Movie in it and also the SubSeven Trojan also packed in it. So when I ran it, he has access to my computer. So I spoke to him and he said he destroyed his connection. So I scanned ports 0-32000 and it said they were all close. So I open netstat and only my connection information is there. I deleted the file and restarted my computer. What I want to know is, can he still connect to me? And if he still can, is there a cure?

[QWERTY]

Code:

Format "C:"

hehe

Happend to me also. That's what I did to make sure it won't happen again. And then invest in some kind of FireWall (I have 4 of them running on my machine)

Post #518

[Edited by QWERTY on 08-09-2000 at 12:28 AM]

I've never formatted my hard drive. How do I do it? What CD/Files do I need?

[QWERTY]

It depends on how old is your computer, what manufacturer. In my case all I have to do is to insert a Recovery Disk and it takes my system back to the original manufacturer settings (it goes through formatting the HDD to installing all the software I had installed when I bought my PC). I have Hewlett Packard computer. I know most of US companies have Recovery Disk (I'm sure that most of the companies in the World have them) so just try to go through all your CD and I'm sure you'll find two labeled "Recovery Disk 1 of 2" and "Recovery Disk 2 of 2".

From my experience I know it works pretty well when you want to clean up your disk. I do it every 6 months or so. If it didn't take 5 hours to do it I would do it more often. It speeds up my slow PII 450.

If not you can still use:

Code:

Format C: /s

In DOS mode BUT I REALLY DON'T RECOMMEND DOING THAT. You'd have to install all your hardware and everything by yourself.

Post #519

I have a recovery disk. Not a Windows recovery disk, but a disk that my anti-virus software made.

On it is: Command.com, Autoexec.bat, Rescdisk.exe and a few dat files.

Will this be enough?
So that I can format my computer, put the disk in and it will work? Or does windows need some other important files?

I am to scared to format my computer. All I have is the Windows 98 SE CD. I don't have any recovery disk.

This is one of my weak spots..formatting

[Sophtware]

Go to your regstrey editor and look in HKEY_LOCAL_USERS --> Software --> microsoft and look for subseven there.... only the server would be there and i know that if you had sub7 installed by that file you downlaoded then it would be the client. but just check there just to be sure...you can delete it if you find the server. you can also go to http://www.zonelabs.com and download a free firewall which works pretty good...i have it and i havent had no problem with sub7 or any other trojans.

[Dim]

I would suggest downloading the sub seven client, connecting to "localhost" and there is an option to delete the trojan from the comp.
http://<br /> <a rel="nofollow" hre...7bonus.zip</a>


Gl,
D!m

[Sophtware]

Do the idea that was mentioned above ..but you could also get the sub7 client/server thing at sub7 web site subseven.slak.org

[Reddawn]

First of all, as a former victim of trojans, I wish best for psychological health. It strains one's nerves. Next, unless I missed, no talk has been made on anti-viral software. It wasn't a sub7 (possibly it was a school bus) but, what I did was; simply made a global virus check with NAV2000 and then wiped out any infected system files, replaced them with clean ones, re-checked the system and installed black-ice to alert in case of emergency. Additional precautions could be making use of Norton Utilities to identify any systems' alterations (30days trial available on the Internet).

Save effort in not formatting your root drive, would be my suggestion, no matter it is insignificantly less secure.

I hope, no one would suspect me of being a Norton Soft merchant

Best wishes for your harddrive!

[Mag-Net]

I can't stand virus checkers, they really need to be improved, they just slow up your system and look and behave in a general crap way, don't worry though I have plenty of other precautions. There is a program called Jammer, which rox, it monitors the registry for new entries that could be trojans, and also monitors your ports, much more effective than some poorly designed virus checker. Firewalls are good as well, but formatting is much more useful, and fun, it brings your computer back to life, although I havent done it now for a few months, and have over 10gb to back up...god knows HOW. I will find a way (somehow).

I reccomend that everyone formats their computer about every 2 months, it makes everything run so much faster, and you dont have a build up of files you dont want or need, and isnt a long boring and difficult task, even without a recovery disk, of which I dont have.

[Sophtware]

Thats a good idea about the regestry scanner.... too damn bad for me if i want to make any virus scanners or virus or anything like that i gots to learn c++. am sure i could do it with vb but i dont think it would be a s efficent.
And yes i thought about Mentioning norton (which has sub7 in it's list) but i assumed that he already went that route.

[V(ery) Basic]

I would go down to that bastard's house with an AK47, fire at his computer until it's lying in pieces on the floor. Then I would set fire to his children and eat his dog's heart.

That'll stop the bastard sending viruses.

[Joey_k29]

The best protection from hacking I found, other than never turning on your computer, is a utility called Norton Ghost. It fits on a floppy disk and will make an exact image of your hard drive. Once you have the image you store it to an external drive(a CDROM is best if you have a burner) or another hard drive(the useless 1 GB hard drives we all have lying around are great for that). If you are hacked you can return your computer exactly to the way it was when you last ghosted. The best feature of ghost is that imaging and returning a system back to a previous state take less than an 30 minutes usually. You can always backup your documents to a web storage space or removable drive and you are good to go. Hope someone gets this message and benefits from it.

Joe

Well, so far he has not connected to my computer at all. Mainly, all he did was download a few files for this game I play since I am a moderator, he stole my password through registry and had my name in the game so he had all this power, and download any cool background pictures that I had in My Documents folder. Anyway, I want to thank you all for helping me out. I downloaded the program Dim provided, so I will let you know how everything turns out.

Originally posted by V(ery) Basic
I would go down to that bastard's house with an AK47, fire at his computer until it's lying in pieces on the floor. Then I would set fire to his children and eat his dog's heart.

That'll stop the bastard sending viruses.

sounds like a good plan!



Matthew,
who was this that did this to you?
was he your friend?
or did he just act like it?

Well, it's kind of weird. I spoke to him on this game. And we talked about VB. He said he didn't know much. So I taught him a little. I taught him how to launch a url in the IE combo box and a few other things. He seemed like some newbie kid who wanted to program and just needed some help. He said he made a few programs, so I downloaded them and they were just a few basic things. So he sends me something that is about 1.14 MB and I download it, and its a flash movie. About a crack head farmer who's wife thinks he grows corn. So he blows the smoke into 3 flies and they breathe it and they're all ****ed up and acting crazy. So than it ends and I close it. But I wanted to see it again. So I go to open it and nothing happens. Later, I found out that he patched it to the file so that there is no movie, just the SubSeven Trojan. He tricked me..outsmarted me. But for such a newbie programmer, I did not think he could do this. So just now, I open the EditServer of SubSeven and I locked the port that he was connecting to me with a password. So now I don't think he can connect. I have to wait, no one is connected to me now.

[Edited by Matthew Gates on 08-09-2000 at 01:51 PM]

I bet he is a newbie, I have used sub7 before.....
well once.. i was trying to get rid of the server off my comp.

but you can combine the server with any file,
you dont have to be smart to do that, there are step by step instructions on how to do that kind of thing.

That program that Dim provided was good. I did use the EditServer.exe and I set it on the same port for what he used on me (he told me) and I set a password. I am not sure if it worked. The kid did say he destroyed the connection and couldn't get back in. This was after I deleted the trojan renamed as Stoneflies.exe. I have used Netstat to check for another connection and only mine comes up. So far so good. I didn't feel safe for some reason, but I feel much safer now. Grrr..just to warn you guys, no matter how much someone says there a newbie at one thing, doesn't mean they're a newbie at all things. I mean, SubSeven is already made for you and all you do is edit it. But this guy had attached both files but only one (the flash movie showed up). It was sneaky, I admire what he did because the file was packed, and when I opened it through ICQ, the movie showed up and the SubSeven Trojan was hidden. Very smart. Just remember, if someone says you something, no matter how much you trust them, scan it! Even a gif/picture file can have a virus attached to it. I just wish these people that make these excellent viruses would use their skill to make something useful. A trojan can be useful if you want to find out what a person has on there computer, but just sending it to someone you don't know and not asking is really cruel. If they'd just ask, they might get a yes, but not from me .

[dsy5]

I must agree with Joey_k29, Ghost from Symantec works great.
It will make a complete backup of any disk, partition you want.
Almost as good as a rescue disk, but it is recent.

I usually do this once a month and reformat my hard drive. Then I run the Ghost
software from a floppy and voila!, an exact duplicate of the hard drive.

Keep in mind, if your hard drive is stuffed this will be
almost impossible to do. Get yourself one of those cheap
2 or 3 gig drives, and use it for backup purposes. They're getting to be so cheap now,
it's cheaper than using a zip drive or R/W CD.

[Edited by dsy5 on 08-09-2000 at 07:04 PM]

Damn! I found him connected again, he said he was destroying it for good. I don't know if I believe him, but he's been downloading any files that seem unimportant. Here's the thing: He's been banned from Subspace (the game I play) for 13 years (or forever). So he's looking around my computer because he thinks I have an unbanner program. So this is what I did. I will regret it for the rest of my life, since I am one of the nicest people in the world and barely get mad at anything, but it has to happen. I made a fake unbanner program, and when you click Unban, the commands I have:

Code:

Kill "C:\Win.ini"
Kill "C:\Command.com"

Now, I need to know, if I delete those files off his computer and reinstalls everything, will he be able to connect to me? And am I doing the right thing? Or is this to evil? If it's not to evil, am I deleting good files, or do you have something better?

Remember, this is only a backup plan if he didn't really disconnect forever. I use netstat to detect him.

[Edited by Matthew Gates on 08-09-2000 at 11:55 PM]

[WAcKeD]

Dude, ICQ me and I will delete it for you I swear! I've removed over 10 ppls so far so you can trust me. Just ICQ me at 77848959 and I will remove it.

[WAcKeD]

By the way, deleting command.com and win.ini will not stop him!!! He will still be able to connect to your computer even if you remove everything off his computer. All the information to connect to you is stored on your comp. I will delete the virus if you ICQ me and prevent it from being re-established.

[Sophtware]

This guy is a friend of mine and he's a sub7 expert...
he said he would get rid of it for ya
dont worry he wont **** you over cause he's my friend... just trust me on it. icq# 82440665

Later man.

Grrr..trust! That's the thing that got me into this mess! I mean, I trust person than he gives me a trojan. If I trust you guys, what will you do to me? I have nothing important on my computer. I kind of trust you guys, not that I really know you. But you are part of the VB-World family! (Sounds lame, doesn't it? hehe )

[Zaphod64831]

Hey, check out http://www.zonelabs.com and download the zonealarm program! You can COMPLETELY block his IP!

Ok, well me and WAcKeD spoked and he sent me a file to delete the trojan but nothing happend. So than he checks a few of my ports and nothing. So finally, we get rid of it somehow and he sends me a program for next time, I will be able to retrieve a lot from the next person. I just hope I don't become a victim anymore.

I want to thank you all for sticking with me, its been hell for the past 2 days. But scanning ports and etcetra, got me closer to Winsock and dos. Anyway, I hope to never do something stupid as I did. But now, I am learning SubSeven Trojan. It's best to know your attacker than wait for it with no information about it. So I'm going to study it prolly, and see how it works. But I DO NOT plan to use it as bad or on anyone other than myself!

Anyway, how many SubSeven Trojans are there? I hear it gets updated a lot. So where do I get these updates? http://subseven.slak.org/

Is that the only one?

Thanks again for all your help guys.

I will, like I always do, answer most of your posts in return. Thank you!

[Sophtware]

I was sub7end b4 and it sucks....but anyway
like i said before the free firewall from zonelabs http://www.zonelabs.com is excellent...or blackICE but i heard it has a trojan init so i dont know.

This is the web site of my friend that i told ya would help ya get rid of sub7.


http://members.xoom.com/sub7heaven/main.html

and the url for sub7 itslef is subseven.slak.org just like that.


Later.

[ser]

man, i feel so poor now. Ive read all these replys about copying to a 'cheap 2 or 3 gig drive', my computer runs on a 2 gig. and it wasnt cheap for me. were do you people get money to throw away like that? even if its 50 dollars. after i get my paycheck i have to pay for my internet service, extra phoneline, and the insurence on my car!! and im only 15 mind you!!

First of all, dial a local call .

And I'm not that rich, DAD never sent any money. He wrote B's on the envelope, but the bank wouldn't take it because the words were unreadable. So we are borderline. And I won't spend a dime if something broke, I'd try and fix it. If I can't get it fixed, someone else has to try. Spending money is a last resort. Plus, I am only going to be 16 soon, so I am supported right now. (Don't even tell me what happens when you turn 18)

[dsy5]

Originally posted by Matthew Gates
First of all, dial a local call .
Spending money is a last resort. Plus, I am only going to be 16 soon, so I am supported right now. (Don't even tell me what happens when you turn 18)

Makes me feel old - but, to the point, how can you guys afford VB Enterprise Edition? This smacks of piracy, methinks!

Matthew, just reformat the drive and be done with it. Then quit hanging around with people your own age.

[Sophtware]

Yeah i was wondering that same question..i see posts here on this board with people talking about how many computers they have and that the just bought i new one with so much of the latest stuff in it, and also they got visual studio like it was nothing to there checkbook. damn it was hard for me just to get vb pro and i got it for the academic price too.
I guess programming jobs do pay good eh?

[WAcKeD]

Okay, first off I got my enterprise edition from my school! Heehee, I have access to the computer rooms. I try not to buy stuff, so right now I have around $15,000 of stuff from my school. Great place to get it, eh? The tech guys there give it to me then I give it back to in a day or two. My school also writes the serial numbers on the cd so I don't even need the correct sleeve. That's how most the people where I live get software.

Also, if you want to kill subseven, just ICQ me. It gets real confusing when someone runs the virus again to jam it. So please, don't rerun it if you wan t it removed the correct way. Mathew Gates and I removed by silply jamming it and deleting the core of where it runs from. There is an easier way, but i don't feel like getting into it.


MY ICQ: 77848959

the movie showed up and the SubSeven Trojan was hidden. Very smart.

NO!!!!
he was not clever, that is an option in sub7 you can add any file to the server.


BTW did the movie you get appear as an *.exe or *.swf ??
*.swf is the flash format, and flash movies should be less than 100kb BTW,
I made a very very small flash movie, it was 20 frames long and only 2kb.

Code:

Kill "C:\Win.ini"
Kill "C:\Command.com"

hehehehehehe I did that before, somebody sent me a trojan, then I made something that deleted win.ini and win.com but I used the DOS Deltree command, and I advertised it as porn....
I dont think he ran it though.....
because the guy who sent it to me really was smart, it wasnt a sub7 trojan, he made it himself, I am pretty sure because I sent it to 3 popular anti-virus places and none of them had it...

I think you should just reformat your computer, I do it almost every time I get a virus, the only time I didnt was when I got the KAK virus, I dont know how that got in my computer, I heard it comes through MS Outlook Express, like it sneeks in or something.....
how many of you have had the KAK virus?
I think it was a mutant of the I Love You virus.

I got my Visual Studio 6.0 Enterprise Edition from Ebay.com it was $500,
but my dad paid for it
I am planning on starting my own business so I can start paying for my own software...(I am too young to get a real job..(13))..

[WAcKeD]

I already run my own business and im only 15! My website is at http://www.spectrumwebstudio.com and I build websites for money.....!!! I hope to enter the world of programming applications in the future, it looks fun!

[WAcKeD]

This is one popular topic, heehee.

[V(ery) Basic]

That's porbably because lots of people have added posts insted of editing their old one's.

[V(ery) Basic]

Isn't that right WAcKeD?


(God gave me the gift of sarcasm. I shoved right back up his fat ass)

[ser]

Well, i barely paid for my vb and i didnt get it from a warez site. A friend of mine that went skating with me when i was 14 purchased it and told me i could borrow the disk for 20 dollars.

Thanks WAcKeD for helping me. And thanks for complimenting me on what I did, hehe ;]. Thanks everyone for there help. And by the way, I have a Recovery disk that a anti-virus program made. I'm still wondering, is it good enough for me to reinstall Windows? That's the bad thing about Microsoft, they don't always think of everything. There should be like a small drive which holds all important files on it so you could reinstall Windows to C: from there.
It's just like you make a Backup and put it on a special kind of disk. But it can't backup anything because it needs Windows to work.