Troj/Sub7-21B

Please read the instructions for removing Trojans.

When removing the Trojan make a note of the names of any files.

In the win.ini file, which can be found in the Windows directory, there may be a run= line that points one of these files. Delete the file name from that line.

Similarly, delete any references to the files from the system.ini file in the Windows directory.

Troj/Sub7-21B is a variant of the Troj/Subseven Trojan.

The package contains two or three programs. One of the files should be installed on a "server" machine. Once the server program is installed the client can take control over the infected computer. The client is a powerful "remote administration" tool. It has remote controlling abilities such as the ability to edit the server Windows registry file, flip the screen, change the desktop colours, restart Windows, play sounds, send messages, switch off the display, disable keyboard keys, hide the mouse cursor or the task-bar.

The client can also steal passwords and read keyboard keys pressed on the server since the last boot. The third program in the package is a utility that can be used to configure the server program. It is possible to patch the server with any executable so it looks as if a user received a valid file instead of the trojan. The server configuration program also configures the way the server is "installed". To install itself the server can use the Windows registry file.

It can also change the C:\WINDOWS\WIN.INI or C:\WINDOWS\SYSTEM.INI files so that the server runs on starting Windows.