[SUB7 2.0 Secrets]

SUB7 Secrets X-Posed
-=[ Presented by WaJ ]=-

Author	Wajid
Target	SUB7 2.0 trojan horse.
Completed	20 NOV 99 (Public release)
Last Update	9 DEC 99.
Groups	Hellforge
Contact	[email protected]
Dedication	DG '99
Wise Word	Treasure Your Privacy!

Please note, I have nothing against the SUB7 crew. Infact with the updates, I believe that SUB7 is by far the best remote access package in its own ways. It is full of features that no other trojan has. Although the features can be done manually, mobman has done a great job in implementing them within the program itself. I have decided to remove all my ANTI-SUB7-CREW documents and I would like to apologise to Slim and all the crew members and mobman for me being such a fewl. Although this will not effect my future work on the trojan, You will no longer see SUB7 vs BO2K theories, or anti-slim documents. Condolences to ReVeNGeR. Even though I don't recommend using SUB7 on your precious victims. SUB7 has a backdoor where a person (apparently mobman) can connect to your victims over-riding any password mechanism. This STILL exists in the most up-to-date version. SUB7 is not the only one that does this... remember netbus 1.7? remember how it opens 12345 & 12346? remember how netbuster is able to reset the password? how? hehe. BO2K has NO SUCH over-riding feature! Look at the source. Compile it and use it. And yeah... Don't think your victims are only your victims!

Sub7 employ's some new characteristics that haven't been yet exposed to the public on a mass scale. Apparently 3/10 people will not realise the way Sub7 starts up & where it stores its information at the time of writing this (11/11/99). This document is meant to expose that "top secret" information. This, as far as I can tell is not available on the internet at the moment. But you might see many modified versions of this text after its initial release. You may use this document directly or modified as long as the header above is included, now cummon, that not much to ask, is it?

There are 5 methods of sub 7 starting up. They say that the last 2 are secret and "unknown". They will be soon known to you after reading this document. heh....

Startup Methods:

#1: Registry RUN: \run -- duh. the most obvious.
#2: Registry RUNSERVICES: \runservices -- duh. the second most obvious.
#3: WIN.INI RUN= -- duh. the third most obvious.
#4: SYSTEM.INI Explorer {filename} -- duh. the so-called "not-very-known" method
#5: Now our start method. heh....

NOT KNOWN =

C:\WINDOWS\RUN.EXE is created - this is for execution of the server. It itself is NOT the server. This is released from the resource section of the server at runtime (if the unknown start method option was selected)

Now obviously this file cant run by itself, just by calling it run.exe and placing it in the windows directory so... there must be somewhere where its startup information is kept.. duh.. yeah and that is the key:

HKCR\exefile\shell\open\command

hmmmmmmmm. i hear you say... and it sets the default value to: "run.exe "%1" %*".

11,371 bytes long. Also packed by UPX 0.72 packer. Damnit. these guys love packers...

Now. You may be asking. WHY THE HELL make run.exe? why not directly execute the server? Intelligent question. I'll let you into a little secret... That above method of execution, although is quite hidden, it replaces the usual execution path of windows. When you execute an executable file... it DOES NOT directly execute it... instead it executes "run.exe "%1" %*". here the parameters of your executable (including any arguments) are passed to the file "run.exe". This then executes the invoked program for you, obviously also executing the server (if not already running)!. So run.exe actually executes up on execution of ANY exe files (invoked with CreateProcessA <> invocation of explorer)!!! VERY, VERY inefficient!. so run.exe will be invoked many times... and of-course this is not very good...

So if u are infected, kill any suspicious processes in the windows directory (up to ver 2.0), you cant set the path.. heh. then delete the target file. then delete run.exe from your windows directory, also setting the above key to value to: "". NOTE: DO NOT DELETE THIS KEY! if you do, then you will not be able to execute any exe files. heh.

Also I hope you have a query regarding the execution of files that are not of the extension .exe? You can configure the server to be a .dl . What’s up with this I hear u say... Well, this was first introduced by cDc in their BO 1.2 (an excellent tool I have to say). BO 1.2 config allowed you to name the file with any extension.. now this is how they do it...

They register a new file type of the extension. i.e. if already not created, they create a key for it in the root key:

HKCR\

For example for the .dl file, they would create "HKCR\.dl". They set the default key to "exefile" and create another string value called: "Content Type", within the same key. the string value of this is set to: "application/x-msdownload". Now this is what the value for an exe it. it allows the server to execute the file without 1st renaming it to an .exe.

Also some encrypted data is held by the server at the registry key:

HKLM\Enum\PCI\RGNSSS\

just delete this fucking key! I suspect it is something to do with that server protection thing.

e.g.

HKLM\Enum\PCI\RGNSSS\â£Öáª½ª¦Kû¦Çÿá£ ="·7_"
HKLM\Enum\PCI\RGNSSS\t¼ñ®ÿÑ¿|xû = "££ñÑÿhb£xû"
HKLM\Enum\PCI\RGNSSS\üªñ½Sà®ñbû = "fpgp"

as far as i know, this is only used by the server only. its not related to windows in anyway. IMHO (even though i cant even get the server to work) this is the information to protect the port from being modified etc.

Also other keys the program creates/modifies:

HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber <-- Value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer <-- key
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ <--- ??
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4\CachePath
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1\CacheLimit
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths

I hope this text has increased your awareness of startup methods and above all answered your questions regarding SUB7. Please do not hesitate to contact me if you have any problems. Manual removal should also be clear from the above text. Further information is available from me. Also some more information on future versions:

If you suspect you have a server running, then go to dos and type:

netstat -an

This should give you all listening ports. Before you are connected to the internet, There should be NO LISTENING PORTS whatsoever! If there are, then you can get worried... and download the latest virus definitions. It is also possible that the version you have is unique. This requires a manual removal... The techniques applied above could be used generically to eradicate any trojan out there! NOTE: legitimate programs DO NOT listen on ports (i.e. Virtual Drive 3.1 by Farstone = transfers user details). Of-course it can be made that the port is opened on a sense of a connection (to the net), so it is also wise to check your open ports while online.

Greetz: LaZaRuS, Shadow, ReVeNGeR, HH, Int_13. damn I hate it when I forget the names so i'll just add an (etc.) heh..... & of-course DG'99.

Treasure Your Privacy!
(C) Copyright 1999. Wajid. Any literature found at this site MAY NOT be reproduced partially or in whole without my prior written consent.