is this a trojan? - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 8^th, 2008, 9:42am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   is this a trojan?

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: is this a trojan? (Read 788 times)

dethroned
Newbie

I love YaBB 1 Gold!

Posts: 3

is this a trojan?
« on: Jun 17^th, 2002, 1:22pm »

Quote

Modify

Backdoor.SubSeven
I downloaded a patch.exe but didnt look that it was only 20-30kb big and NAV reported that this Backdoor.SubSeven is founded but can do nothing about it. The exe file has vanished and virus scanning by NAV and Trojan Hunter have zero result.

Well i am a total noob about viruses so anykind of explanation about what happened and can happen would be welcomed

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4095

Re: is this a trojan?
« Reply #1 on: Jun 17^th, 2002, 3:16pm »

Quote

Modify

Hi,

If you have Norton Antivirus AutoProtect enabled then TrojanHunter will be unable to access any trojan files when you scan them. If you still have a copy of this file then e-mail it to submit@trojanhunter.com and I will have a closer look at it.

If the file was only 20-30 KB in size then I have to say it's unlikely to be SubSeven, as it is typically much larger - 200 kilobytes to 1 megabyte.

« Last Edit: Jun 17^th, 2002, 3:16pm by Magnus »

IP Logged

dethroned
Newbie

I love YaBB 1 Gold!

Posts: 3

Re: is this a trojan?
« Reply #2 on: Jun 17^th, 2002, 5:22pm »

Quote

Modify

no i dont have a copy of it, this file has vanished. The file size may have been a little bigger but not over 50kb.Is this possible that NAV deleted the file. �Activity Log says: C:\blahblah.exe is infected with the Backdoor.SubSeven virus. Unable to repair the file.
C:\blahblah.exe is infected with the Backdoor.SubSeven virus.
Access to the file was denied.

Maybe this denied thing means the file was deleted, because I run the Trojan Hunter and NAV Auto-Protect was disabled and nothing was found. Or maybe its just wishful thinking. Anyways thanks for your help.

« Last Edit: Jun 17^th, 2002, 5:25pm by dethroned »

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: is this a trojan?
« Reply #3 on: Jun 17^th, 2002, 5:35pm »

Quote

Modify

Just a thought - I think NAV has a quarantine area, maybe it copied the file there, since it didn't report it being deleted. 'Access Denied' would imply the file is blocked from running, (and it would probably be 'hidden' to prevent inadvertently selecting it), but you may still be able to zip and email it.

« Last Edit: Jun 17^th, 2002, 5:36pm by Ian »

IP Logged

... but crap arrives pretty much straight away.

IAMSKINZ
Full Member

No trojans, no viruses, no worms, no booze, no drugs...I'm a very dull guy.

Gender: male

Posts: 204

Re: is this a trojan?
« Reply #4 on: Jun 18^th, 2002, 1:18am »

Quote

Modify

dethroned,
If NAVdetected the trojan it would have gave you a notification screen that you couldn't miss.NAV automatically moves the infected file to the quarantine area. On the screen that comes up it will give you the choice of trying to fix it, leaving it in quarantine, sending it to Symantic or deleting it.
If for some reason the notification screen didn't come up, you can open NAV and click on reports and view and manage the items in quarantine. Also you can look at the log to see just what took place.
I have never had NAV delete any infected files witout user interaction.
If nothing is in there do a search for the file if you know it's name. If you find anything even close by all means do an individual file scan on them with both Trojan Hunter and NAV.
If nothing was found then I would rescan with both to be sure and consider myself lucky.

IP Logged

.............and I replied, What are you arguing with me for...I ain't got a lick of sense..............

dethroned
Newbie

I love YaBB 1 Gold!

Posts: 3

Re: is this a trojan?
« Reply #5 on: Jun 18^th, 2002, 10:25am »

Quote

Modify

no it is not in the quarantine area. All searches have zero result, so maybe I can consider myself lucky. Anyhow, what these trojans do excatly, or if it wasnt a trojan (too small filesize?) can it be somehow hibernating and spring into action on a later date.

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: is this a trojan?
« Reply #6 on: Jun 18^th, 2002, 6:55pm »

Quote

Modify

Some Trojans use a small 'dropper' program that opens up a connection to a location where the full version is located - out on some unsuspecting host computer, which will have nothing to do with the individual who is trying to infect systems. Your's flagged up as 'Backdoor.SubSeven', which suggests it maybe something like this.

However, Magnus is your man here, because he's seen them all and can tell you exactly how they look when they arrive. Since it looks much smaller than he expected, it's either a new variant of something already recognised, or it's a false alarm.

If you can't find anything following Jerry's (2 back up) advice then maybe it was the latter?

« Last Edit: Jun 18^th, 2002, 6:57pm by Ian »

IP Logged

... but crap arrives pretty much straight away.

bruno
Guest

Re: is this a trojan?
« Reply #7 on: Oct 30^th, 2002, 3:22pm »

Quote

Modify

Remove

I have AVG antivirus and it detected sub7 and cleaned it with no problem at all. And it is a larger file. I did a search for the folder it was stated to be in and it was gone for sure, sorry i just noticed this date posted so its old news lol. Grin

IP Logged

Kayrac
Full Member

Posts: 162

Re: is this a trojan?
« Reply #8 on: Oct 30^th, 2002, 3:48pm »

Quote

Modify

old but hey, you responded so i might as well.....patch.exe is subseven......i know that simply because it was the only thing to ever infect my computer......damn my stupidity before i knew anything about computers!

IP Logged

bruno
Guest

Re: is this a trojan?
« Reply #9 on: Oct 30^th, 2002, 5:28pm »

Quote

Modify

Remove

on Oct 30^th, 2002, 3:48pm, Kayrac wrote:

I didn't know what sub7 was till i read up on it, its a nasty one for sure, so i read up on trojans in general ....good grief what people will do. Shocked

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: is this a trojan?
« Reply #10 on: Oct 30^th, 2002, 6:00pm »

Quote

Modify

And the variants of Sub7 use all sorts of different ports - it's not even fixed on the latest versions - the 'Trojaneer' can specify any port they want (previously, choice was from 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283)

Depending on what functions you add to the server, the size of it will also change. With more than 100 "features" its one of the more powerful of all Remote Access Trojans. Right - long list follows (from Glocksoft) for all the different file names and their sizes...>
Subseven.exe - 308,224 bytes
Subseven.exe - 312,320 bytes
Subseven.exe - 381,440 bytes
Subseven.exe - 388,096 bytes
Subseven.exe - 428,469 bytes
Subseven.exe - 623,104 bytes
Subseven.exe - 624,128 bytes
Sub7.exe - 468,992 bytes
Sub7.exe - 479,232 bytes
Sub7.exe - 491,520 bytes
Sub7.exe - 493,056 bytes
Sub7.exe - 519,680 bytes
Server.exe - 250,368 bytes
Server.exe - 251,904 bytes
Server.exe - 333,547 bytes
Server.exe - 335,237 bytes
Server.exe - 335,799 bytes
Server.exe - 336,867 bytes
Server.exe - 336,934 bytes
Server.exe - 342,042 bytes
Server.exe - 352,287 bytes
Server.exe - 380,835 bytes
Server.exe - 382,371 bytes
Server.exe - 385,858 bytes
Server.exe - 867,840 bytes
Editserver.exe - 186,368 bytes
Editserver.exe - 195,584 bytes
Editserver.exe - 221,184 bytes
Editserver.exe - 303,802 bytes
Editserver.exe - 404,992 bytes
Editserver.exe - 484,352 bytes
Systrayicon.exe - 768 bytes
Systray.exe - 33,280 bytes
Kerne1.exe - 32,768 bytes
Nodll.exe - 33,230 bytes
Subseven.ini - Skin.ini - 454 bytes
Skin.ini - 464 bytes
Skin.ini - 468 bytes
Skin.ini - 481 bytes
Rundll1.exe - S7undetec.exe - 321,476 bytes
Subpas1.cab - 1,312,768 bytes
Subpas2.cab - 145,273 bytes
Ssetup.exe - 140,800 bytes
Ssetup.lst - 3,656 bytes
Sub7bonus.exe - Wandows.com

I've removed some of the file names that mimic 'genuine' ones, i.e. they used the same names as legitimate application files, to stop anyone panicking!!!

« Last Edit: Oct 30^th, 2002, 6:22pm by Ian »

IP Logged

... but crap arrives pretty much straight away.

bruno
Guest

Re: is this a trojan?
« Reply #11 on: Oct 30^th, 2002, 6:07pm »

Quote

Modify

Remove

Thanks for info, i believe knowledge is the key to fighting these people, plus a good firewall lol. just saw a good program on tech tv and got their website, interesting stuff what they are doing. Here's the site if anyone wants to read about this project.........http://project.honeynet.org/

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: is this a trojan?
« Reply #12 on: Oct 30^th, 2002, 6:25pm »

Quote

Modify

That link looks like it's worth a read. Sort of a Grand Central Station for all the honeypot computers out there - nice idea!

Has TechTV got a webcast?

« Last Edit: Oct 30^th, 2002, 6:26pm by Ian »

IP Logged

... but crap arrives pretty much straight away.

bruno
Guest

Re: is this a trojan?
« Reply #13 on: Oct 30^th, 2002, 7:48pm »

Quote

Modify

Remove

on Oct 30^th, 2002, 6:25pm, Ian wrote:

That link looks like it's worth a read. Sort of a Grand Central Station for all the honeypot computers out there - nice idea!

Has TechTV got a webcast?

sorry not sure, check their site, i just happened to catch starting at the middle of the segment.

IP Logged

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register