27374
- Thread starter trinity1
- Start date
Port 27374
(TCP) This is one of the most commonly probed ports on the Internet right now, due to its inclusion within the SubSeven Trojan. The reason it is so sommon is that SubSeven provides the ability to tell a compromised system to scan on its behalf. This allows cr/hackers to scan with impunity.
Summary
As of early year 2000, SubSeven has become the most popular Trojan (as measured in scans for this trojan). Furthermore, Network ICE believes that this is the most dangerous Trojan, with several powerful "hacker" capabilities.
Details
The popularity of scans for this Trojan is due to the fact that one victim can be commanded to scan for other victims. This has lead to numerous scans for port 27374 on the net.
The Basics of SubSeven (aka Sub7 or Backdoor_G)
SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and can be a bit tricky to remove. This is because the server portion can be configured to rerun itself automatically from any of four places each time the system has been rebooted. The trojan also has two files that can be configured with any name.
As mentioned above and although the server portion can have any name, it's found in the WINDOWS directory, with one of the following:
"server.exe" (328kb)
"rundll16.exe" (328kb)
"systray.dl" (328kb)
"Task_bar.exe" (328kb)
The second file is found in the WINDOWS\SYSTEM directory, with one of the following:
"FAVPNMCFEE.dll" (35kb)
"MVOKH_32.dll" (35kb)
"nodll.exe" (35kb)
"watching.dll" (35kb)
If you've encountered any names other than the above, send an email to [email protected] or click the envelope to the right.
TCP Ports 6711 and 6776 are used by default, but there's a third TCP port which is the port used in the establishment of the connection between the "client" and "server". This third TCP port can be configured to be anything, although it's commonly seen as TCP port 1243 or TCP port 1999 .
As mentioned above, the server portion of the trojan can be configured by the hacker to rerun itself everytime the system is rebooted due to an entry in one of the four locations. Provided below, are the four locations.
The first, is an entry on the "shell=" line in the SYSTEM.INI file.
The second, is an entry on the "load=" or "run=" line in the WIN.INI file.
The third, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
The fourth, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"
NOTE: Of the systems compromised with SubSeven, it's often found to be the first location.
SubSeven was written by an individual known as MobMan.
How to Remove SubSeven
Because the server portion of the SubSeven trojan can be configured to be loaded automatically from one of four locations, you'll need to look at all of the locations first. Keep in mind that several steps involve examining and possibly editing the registry. Although the steps are relatively easy, I cannot be held responsible if a mistake is made. Please use caution.
The first and second locations - The WIN.INI and SYSTEM.INI files
Step 1.
Click START | RUN
Type SYSEDIT and press ENTER
Step 2.
Click on the SYSTEM.INI file and look at the "shell=Explorere.exe" line under the [boot] section. There shouldn't be anything to the right of it. However, if yours looks like "shell=Explorer.exe Task_Bar.exe", then Task_Bar.exe is the server portion of the trojan.
Delete Task_Bar.exe from the line, save the change. Skip to the END.
Step 3.
Click on the WIN.INI file and look at the run= and load= lines under the [windows] section. Because it is common to have legitimate programs on either of these lines. You should look at the name of the file that appears on the line and compare it to those above.
If you find one, delete it from the line, save the change. Skip to the END
The third and fourth locations - The Registry
Step 1.
Click START | RUN
Type REGEDIT and press ENTER
Step 2.
In the left window, click the "+" (plus sign) to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
Step 3.
In the right window, look for a key that has a Value that loads one of the files listed above. If you don't find a file as listed above, it might mean that the server portion was renamed to something else. Note the names of any suspicious files.
What you will need to do, is open Windows Explorer and go to the WINDOWS directory. Locate each of the suspicious files that were referenced within the right window of regedit. When you find the file that's 328Kb in size. You've probably found the renamed server portion of SubSeven.
Step 4.
Return to the registry and in the right window, highlight the key that loads the file and hit the DELETE key. Answer YES to delete the entry.
Step 5.
Exit the Registry and reboot your computer.
Step 6.
After the computer has restarted, open Windows Explorer
Step 7.
Go to the WINDOWS directory and look for the suspicios file. Once you've found the file, DELETE it.
Step 8.
Exit Windows Explorer.
Congratulations! SubSeven has been removed.
(TCP) This is one of the most commonly probed ports on the Internet right now, due to its inclusion within the SubSeven Trojan. The reason it is so sommon is that SubSeven provides the ability to tell a compromised system to scan on its behalf. This allows cr/hackers to scan with impunity.
Summary
As of early year 2000, SubSeven has become the most popular Trojan (as measured in scans for this trojan). Furthermore, Network ICE believes that this is the most dangerous Trojan, with several powerful "hacker" capabilities.
Details
The popularity of scans for this Trojan is due to the fact that one victim can be commanded to scan for other victims. This has lead to numerous scans for port 27374 on the net.
The Basics of SubSeven (aka Sub7 or Backdoor_G)
SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and can be a bit tricky to remove. This is because the server portion can be configured to rerun itself automatically from any of four places each time the system has been rebooted. The trojan also has two files that can be configured with any name.
As mentioned above and although the server portion can have any name, it's found in the WINDOWS directory, with one of the following:
"server.exe" (328kb)
"rundll16.exe" (328kb)
"systray.dl" (328kb)
"Task_bar.exe" (328kb)
The second file is found in the WINDOWS\SYSTEM directory, with one of the following:
"FAVPNMCFEE.dll" (35kb)
"MVOKH_32.dll" (35kb)
"nodll.exe" (35kb)
"watching.dll" (35kb)
If you've encountered any names other than the above, send an email to [email protected] or click the envelope to the right.
TCP Ports 6711 and 6776 are used by default, but there's a third TCP port which is the port used in the establishment of the connection between the "client" and "server". This third TCP port can be configured to be anything, although it's commonly seen as TCP port 1243 or TCP port 1999 .
As mentioned above, the server portion of the trojan can be configured by the hacker to rerun itself everytime the system is rebooted due to an entry in one of the four locations. Provided below, are the four locations.
The first, is an entry on the "shell=" line in the SYSTEM.INI file.
The second, is an entry on the "load=" or "run=" line in the WIN.INI file.
The third, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
The fourth, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"
NOTE: Of the systems compromised with SubSeven, it's often found to be the first location.
SubSeven was written by an individual known as MobMan.
How to Remove SubSeven
Because the server portion of the SubSeven trojan can be configured to be loaded automatically from one of four locations, you'll need to look at all of the locations first. Keep in mind that several steps involve examining and possibly editing the registry. Although the steps are relatively easy, I cannot be held responsible if a mistake is made. Please use caution.
The first and second locations - The WIN.INI and SYSTEM.INI files
Step 1.
Click START | RUN
Type SYSEDIT and press ENTER
Step 2.
Click on the SYSTEM.INI file and look at the "shell=Explorere.exe" line under the [boot] section. There shouldn't be anything to the right of it. However, if yours looks like "shell=Explorer.exe Task_Bar.exe", then Task_Bar.exe is the server portion of the trojan.
Delete Task_Bar.exe from the line, save the change. Skip to the END.
Step 3.
Click on the WIN.INI file and look at the run= and load= lines under the [windows] section. Because it is common to have legitimate programs on either of these lines. You should look at the name of the file that appears on the line and compare it to those above.
If you find one, delete it from the line, save the change. Skip to the END
The third and fourth locations - The Registry
Step 1.
Click START | RUN
Type REGEDIT and press ENTER
Step 2.
In the left window, click the "+" (plus sign) to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
Step 3.
In the right window, look for a key that has a Value that loads one of the files listed above. If you don't find a file as listed above, it might mean that the server portion was renamed to something else. Note the names of any suspicious files.
What you will need to do, is open Windows Explorer and go to the WINDOWS directory. Locate each of the suspicious files that were referenced within the right window of regedit. When you find the file that's 328Kb in size. You've probably found the renamed server portion of SubSeven.
Step 4.
Return to the registry and in the right window, highlight the key that loads the file and hit the DELETE key. Answer YES to delete the entry.
Step 5.
Exit the Registry and reboot your computer.
Step 6.
After the computer has restarted, open Windows Explorer
Step 7.
Go to the WINDOWS directory and look for the suspicios file. Once you've found the file, DELETE it.
Step 8.
Exit Windows Explorer.
Congratulations! SubSeven has been removed.
