CAUTION: Follow these instructions only if the instructions in the previous sections did not remove the Trojan.
To remove this Trojan, you need to do the following:
1. Restart the computer in Safe mode.
2. Remove the following registry key that was placed there by the Trojan:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Traylcon
3. Restart in MS-DOS mode, and then delete the \Windows\Systemtrayicon.exe file.
4. Restart Windows, and then rename the Watching.dll file.
'
The details for each of these steps follows:
Restart the computer in Safe mode
Before you edit the registry, you need to restart Windows in Safe mode. This can take several minutes.
NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.
Questions n Answers about subseven
How does the Trojan get on the computer?
SubSeven is usually sent as a program that you think you want. It almost always has an .exe extension, and it will often be disguised as an installation program, such as Setup.exe. When this program runs, it will usually just return a "Failed" error message, but it can sometimes do something, such as play a game or appear to install the software. We strongly recommend that you only install programs received from trusted sources.
How does someone else know that this is on the computer?
Backdoor.SubSeven can be configured to email your IP address, and the port on which the server is running, to the person who sent it to you. It can also send out an alert through some messaging programs.
What are some of the symptoms of a computer that is infected with the Backdoor.SubSeven Trojan?
Any of the following symptoms will occur only while connected to the Internet:
· CD-ROM drive opens at random times
· Wave (.wav) files play for no reason
· Strange dialog boxes appear
· Internet downloads are very slow
· Files appear or disappear
Showing posts with label backdoor subseven. Show all posts
Showing posts with label backdoor subseven. Show all posts
Monday, January 18, 2010
Backdoor Trojan Horse -Removal instructions:
To remove Backdoor.Subseven you need to do the following:
· Run Update to make sure that you have the most recent definitions.
· Run a full system scan, making sure that antivirus software is set to scan all files.
· Make a copy of the Regedit.exe file with the .com extension (if necessary).
· Remove the references added to the Win.ini and System.ini files.
· Remove the references added to the Windows registry.
For detailed instructions, see the sections that follow.
NOTES:
· This is a random-name file creator. We will use the example Eutccec.exe in this document. Please substitute the randomly named file that you find on the system.
To run Update and then scan with AV software
Run Update, and then run a full system scan. Make sure that Antivirus is set to scan all files.
NOTE: If you cannot do this because you cannot run program files, go first to the section titled To copy Regedit.exe to Regedit.com; otherwise, skip to the section titled To edit the registry.
To copy Regedit.exe to Regedit.com:
If you cannot run program files, then you must copy Regedit.exe to Regedit.com; otherwise, skip to the next section.
1. Do one of the following, depending on which operating system you are running:
o Windows NT/2000/XP
1. Click Start, and click Run.
2. Click Browse, and then browse to the \Winnt\system32 folder.
3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and then press Enter.
2. Type start regedit.com and then press Enter.
3. Proceed to To edit the registry.
NOTES:
· The Registry Editor will open in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, then close the DOS window, as well.
· After BackDoor.Subseven has been successfully removed, then you may delete the Regedit.com file.
To edit the registry
CAUTION: It is strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document.
1. Start the Registry Editor if necessary:
o If you performed the procedures in the previous section, then the Registry Editor is already open. Skip to step 4.
o If it was not necessary to perform the procedures in the previous section, then proceed to step 2.
2. Click Start, and click Run. The Run dialog box appears.
3. Type regedit and then click OK. The Registry Editor opens.
4. Navigate to and open the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
CAUTION: Do not inadvertently modify the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key can prevent .exe files (program files) from running. Be sure to navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey as shown in the following figure.
5. Double-click the (Default) value in the right pane.
6. Delete the current value data, and then type: "%1" %* (quote-percent-one-quote-space-percent-asterisk.)
NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
Make sure that you completely delete all value data in the command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run program files will result in the error message "Windows cannot find .exe." If this happens to you, then start over at the beginning of this document, making sure to completely remove the current value data.
7. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
8. In the right pane, look under the Name column, and delete any of the following values if you see them:
WINLOADER, Win32nt, Win32.Bin, WinCrypt, WinProtect, Win, xTnow, Ayespie,
PowerSaveMonitor, rundll32
NOTE:Other values may appear, which are not on this list. Deleting values from this location does not prevent the programs from running; it only prevents them from starting automatically when Windows starts.
9. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
10. In the right pane, look under the Name column, and delete any of the following values if you see them:
WINLOADER
Win32nt
Win32.Bin
WinProtect
Win
xTnow
Ayespie
PowerSaveMonitor
rundll32
NOTE: Other values may appear, which are not on this list. Deleting values from this location does not prevent the programs from running; it only prevents them from starting automatically when Windows starts.
11. Exit the Registry Editor.
Edit Windows startup files
1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
sysedit
NOTE: If you see the message "Windows cannot find .exe", then repeat steps 1 through 6 in the previous section, and make sure that you typed the text exactly as shown. If you do not see an error message, then proceed to the next step.
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan adds lines such as load=c:\windows\temp\pkg2350.exe or run=hpfschedmsrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan). It may also modify the shell= statement, for example, to shell=explorer.exe pwrsvm.exe
If you are sure that the text contained in these lines are for programs that you normally use, then we suggest that you do not remove them. If you are not sure, but the text does not refer to the file names shown, then you can prevent the lines from loading by placing a semicolon in the first character position of the line. For example:
; run=accounts.exe
4. Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 4 to 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.
10. Position the cursor immediately to the right of explorer.exe.
11. Press Shift+End to select all of the text to the right of explorer.exe and then press Delete.
12. Close the System.ini window, and click Yes when you are prompted whether to save the changes.
NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case, and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
13. Exit the System Configuration Editor.
14. Click Start, point to Settings, and click Control Panel.
15. Double-click the Display icon.
16. Click the Screen Saver tab, and then change the currently selected screen saver. If it is set to (None), then select any of the available screen savers. The important thing is that you make a change to the current setting.
17. Click OK, and then close the Control Panel.
This completes the removal part of the process. Even if you did so previously, start antivirus and run a full system scan. Delete any files found to be infected with Backdoor.Subseven. When finished, restart the computer.
· Run Update to make sure that you have the most recent definitions.
· Run a full system scan, making sure that antivirus software is set to scan all files.
· Make a copy of the Regedit.exe file with the .com extension (if necessary).
· Remove the references added to the Win.ini and System.ini files.
· Remove the references added to the Windows registry.
For detailed instructions, see the sections that follow.
NOTES:
· This is a random-name file creator. We will use the example Eutccec.exe in this document. Please substitute the randomly named file that you find on the system.
To run Update and then scan with AV software
Run Update, and then run a full system scan. Make sure that Antivirus is set to scan all files.
NOTE: If you cannot do this because you cannot run program files, go first to the section titled To copy Regedit.exe to Regedit.com; otherwise, skip to the section titled To edit the registry.
To copy Regedit.exe to Regedit.com:
If you cannot run program files, then you must copy Regedit.exe to Regedit.com; otherwise, skip to the next section.
1. Do one of the following, depending on which operating system you are running:
o Windows NT/2000/XP
1. Click Start, and click Run.
2. Click Browse, and then browse to the \Winnt\system32 folder.
3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and then press Enter.
2. Type start regedit.com and then press Enter.
3. Proceed to To edit the registry.
NOTES:
· The Registry Editor will open in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, then close the DOS window, as well.
· After BackDoor.Subseven has been successfully removed, then you may delete the Regedit.com file.
To edit the registry
CAUTION: It is strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document.
1. Start the Registry Editor if necessary:
o If you performed the procedures in the previous section, then the Registry Editor is already open. Skip to step 4.
o If it was not necessary to perform the procedures in the previous section, then proceed to step 2.
2. Click Start, and click Run. The Run dialog box appears.
3. Type regedit and then click OK. The Registry Editor opens.
4. Navigate to and open the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
CAUTION: Do not inadvertently modify the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key can prevent .exe files (program files) from running. Be sure to navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey as shown in the following figure.
5. Double-click the (Default) value in the right pane.
6. Delete the current value data, and then type: "%1" %* (quote-percent-one-quote-space-percent-asterisk.)
NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
Make sure that you completely delete all value data in the command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run program files will result in the error message "Windows cannot find .exe." If this happens to you, then start over at the beginning of this document, making sure to completely remove the current value data.
7. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
8. In the right pane, look under the Name column, and delete any of the following values if you see them:
WINLOADER, Win32nt, Win32.Bin, WinCrypt, WinProtect, Win, xTnow, Ayespie,
PowerSaveMonitor, rundll32
NOTE:Other values may appear, which are not on this list. Deleting values from this location does not prevent the programs from running; it only prevents them from starting automatically when Windows starts.
9. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
10. In the right pane, look under the Name column, and delete any of the following values if you see them:
WINLOADER
Win32nt
Win32.Bin
WinProtect
Win
xTnow
Ayespie
PowerSaveMonitor
rundll32
NOTE: Other values may appear, which are not on this list. Deleting values from this location does not prevent the programs from running; it only prevents them from starting automatically when Windows starts.
11. Exit the Registry Editor.
Edit Windows startup files
1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
sysedit
NOTE: If you see the message "Windows cannot find .exe", then repeat steps 1 through 6 in the previous section, and make sure that you typed the text exactly as shown. If you do not see an error message, then proceed to the next step.
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan adds lines such as load=c:\windows\temp\pkg2350.exe or run=hpfsched
If you are sure that the text contained in these lines are for programs that you normally use, then we suggest that you do not remove them. If you are not sure, but the text does not refer to the file names shown, then you can prevent the lines from loading by placing a semicolon in the first character position of the line. For example:
; run=accounts.exe
4. Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 4 to 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.
10. Position the cursor immediately to the right of explorer.exe.
11. Press Shift+End to select all of the text to the right of explorer.exe and then press Delete.
12. Close the System.ini window, and click Yes when you are prompted whether to save the changes.
NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case, and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
13. Exit the System Configuration Editor.
14. Click Start, point to Settings, and click Control Panel.
15. Double-click the Display icon.
16. Click the Screen Saver tab, and then change the currently selected screen saver. If it is set to (None), then select any of the available screen savers. The important thing is that you make a change to the current setting.
17. Click OK, and then close the Control Panel.
This completes the removal part of the process. Even if you did so previously, start antivirus and run a full system scan. Delete any files found to be infected with Backdoor.Subseven. When finished, restart the computer.
Backdoor Trojan Horse - overview
Backdoor.SubSeven is a Trojan horse, similar to Netbus or Back Orifice. It enables unauthorized people to access your computer over the Internet without your knowledge. When the server portion of the program is running on a computer, it is possible for the person who is accessing the computer remotely to do the following:
· Set it up as an FTP server
· Browse files on that system
· Take screen shots
· Capture real-time screen information
· Open and close programs
· Edit information in currently running programs
· Show pop-up messages and dialog boxes
· Hang up a dial-up connection
· Restart a computer remotely
· Open the CD-ROM
· Edit registry information
When it is run, BackDoor.Subseven makes the following changes to the system:
· Drops (adds) a copy of itself and a randomly named executable file, such as Eutccec.exe, to the \Windows or \Windows\System folder.
· Adds the dropped file to the load= and run= lines of the Win.ini file.
· Adds the dropped file name to the shell=explorer.exe line of the System.ini file.
· Creates the WinLoader value and sets it equal to the dropped file name in the following registry keys.
· Modifies the (Default) value from "%1" %* to, for example, eutccec.exe "%1" %* in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Classes\
exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
· Set it up as an FTP server
· Browse files on that system
· Take screen shots
· Capture real-time screen information
· Open and close programs
· Edit information in currently running programs
· Show pop-up messages and dialog boxes
· Hang up a dial-up connection
· Restart a computer remotely
· Open the CD-ROM
· Edit registry information
When it is run, BackDoor.Subseven makes the following changes to the system:
· Drops (adds) a copy of itself and a randomly named executable file, such as Eutccec.exe, to the \Windows or \Windows\System folder.
· Adds the dropped file to the load= and run= lines of the Win.ini file.
· Adds the dropped file name to the shell=explorer.exe line of the System.ini file.
· Creates the WinLoader value and sets it equal to the dropped file name in the following registry keys.
· Modifies the (Default) value from "%1" %* to, for example, eutccec.exe "%1" %* in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Classes\
exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Subscribe to:
Posts (Atom)
