Security Incidents mailing list archives

Re: Sub-7

From: nine () 14X NET (nine)
Date: Thu, 8 Jun 2000 16:33:21 -0400


It's not that it 'broadcasts' to an IRC channel, people have IRC bots in
large channels that scan your IP for the existence of Sub7, BO, etc. It
then says [Sub7 Detected on 0.0.0.0] (example). People sit in these
channels waiting for new IP address to screw around with.

However I have never looked at Sub7, it it does broadcast the IP to an IRC
channel, please let me know.

Erik Tayler
14x Network Security
http://www.14x.net

On Thu, 8 Jun 2000, Matthew F. Caldwell wrote:

Sub7 Information:

The subseven trojan can be downloaded from: http://subseven.slak.org
This is a very powerful trojan for win95/98. The Internet Relay Chat (IRC)
client will broadcast the IP of the infected system, the port number of
the trojan and the password needed to connect on the designated port.

Matthew F. Caldwell, CISSP - Senior Consultant
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Guarded.Net - An Information Security Company
 connect(); to the future of secure computing!
      Email: matt.caldwell () guarded net
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
        http://www.guarded.net
---------------------------------------------------------------------------
This e-mail may contain proprietary commercial information and is intended
for the addressed recipient(s) only.  If you are not an addressed
recipient of this e-mail and have received it in error, you must delete
it.  You may not forward or disseminate information contained in this
e-mail without permission from Guarded.Net.
Questions? Contact legal () guarded net
---------------------------------------------------------------------------


On Mon, 5 Jun 2000, Khan, Mansoor wrote:

I was wondering if any one has any experience with this Trojan (Sub-7).
I am interested in finding out if it sends info through a general
broadcast to chat rooms.  Additionally, what specific info does it send
(from a w-95 machine) e.g. registry settings, user ids and passwords
etc.

Thanks,

Current thread:

Re: Microsoft version.binding us now?, (continued)
- - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
  - Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
  - Scan of the Week continued Lance Spitzner (Jun 03)
  - very strange scan patterns Joe H (Jun 05)
    - Re: very strange scan patterns John Kristoff (Jun 05)
    - Sub-7 Khan, Mansoor (Jun 05)
    - Re: Sub-7 James Stevenson (Jun 08)
    - Re: Sub-7 Matthew F. Caldwell (Jun 08)
    - Re: Sub-7 nine (Jun 08)
    - Strange scans - inquisitive question Paul Rogers (Jun 09)
    - Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
    - What is this guy doing? Josh Burroughs (Jun 05)
    - Re: What is this guy doing? Sebastien Reister (Jun 08)
    - AW: What is this guy doing? Peter Roth (Jun 08)
    - Port 6347 Dante Mercurio (Jun 08)
    - Re: Port 6347 Brian Macke (Jun 08)
    - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)

(Thread continues...)