Backdoor:Subseven

[ultravox]

I know this isn't the right forum for this but my daughter's on my case about this and I know I'll get a faster response here. She tried to launch MIRC and an Anti-virus notice came up advising her that she was infected with the backdoor subseven virus. So I deleted MIRC, rebooted and took out a CD where I had burned all this back up info including MIRC. Well as soon as I clicked on the MIRC on the CD, I got the same virus warning. WTF? I'm doing a complete scan now with Norton. Can anybody shed some light on this and what can be done. I have a feeling that even if I go download a new version of MIRC, it will do the same. I did get the latest upgrades for my virus program....last night as a matter of fact. so ........??

 

[Isla]

We looked into this... it isn't anything.

It's a false positive or something like that. We had to do a little searching to figure it out, but it seems it is a phantom.

At least, that was the conclusion we came to, from what we read. (edit: at the Norton site, we checked it out and came to this conclusion.)

I guess we could be wrong, but...

 

[yakko]

Go to the Sub7 site and download the client. Scan your own ports and kill server if one is found.

 

[Isla]

Thanks yakko, I'm going to check it out too.

Norton said it was a false positive, but you never know...

 

[ultravox]

Thanx Yakko..I'm dl'ing the client now. Can you elaborate on this a bit. Where could I have gotten this..how difficult is this client to run and terminate the nasty I got...?

 

[ultravox]

Hmm this is not good. After I finished DL'ing the client , Norton came up and told me the zip file I DL'ed was infected with subseven 21 or something...what's this mean? Now what?

 

[yakko]

That is because the file also includes the server. When you unzip it there will be 9 files. One is the server which is making Norton go off. As long as you do not click on it you will be ok. The one you want to click on is SubSeven.exe to open the client. Once it is open run winipcfg to get your ip and enter that at the top of the window. Go into connection and then server options. Click on remove server. Click on yeah. You are now cured.

 

[Isla]

Thanks yakko...

My hero!

 

[ultravox]

Thanks guy..you are a prince....go take a tenspot out of the cash for yourself..

I'm going to DL it again and follow your instructions....How does one go about getting this? from IRC? other DL's or e-mail?


Edit: How do I prevent getting it again? Or do I just keep the program and do it again if necessary?

 

[yakko]

Easiest way to prevent getting it is that you have Windows set up to show all file extensions. I got mine from a newsgroup. I was being stupid though. Now when I download a file I look to see what the file extension is before I click on it. Unless I am 100% sure where any .exe or .vbs files came from I will not click on them.

 

[ultravox]

Well I got it and had a hell of a time unzipping it. Norton really did insist on not letting me have this file(s). I can't find how to run winipcfg. Could you be kind enough to walk me through it? I'm not much of a hax0r...

 

[yakko]

Click on start. Then click on run. Type in winipcfg. Your ip address will be listed.

 

[ultravox]

In subseven do I have to click connect first? before before "remove server?"

 

[yakko]

Yep.

 

[ultravox]

This is not going as smoothly as I would like....it does not want to connect ..unless it takes more than 10 mins to do so....I have port 27374 showing up top.is this correct? Also..when I first fired up subseven, it had 127.0.0.1 written on ip adress..is this significant? what now my knowledgable friend?