A new version of the SubSeven Trojan horse virus has emerged, with features that make it even more dangerous than before.
SubSeven typically infects computers by posing as an innocuous e-mail attachment. The program allows an attacker to retrieve saved and cached passwords and decrypt some of them, to modify registry settings, and to manipulate files from a remote system.
Once resident on an infected computer, the software copies itself to the Windows directory with the original name of the file from which it was run.
It then unpacks a DLL (dynamic link library) to the Windows system directory and edits the Windows Registry so that SubSeven will run every time Windows boots up.
New features in the virus include the ability for attackers to disguise their identity by connecting from an alternate IP address via proxy support. The proxies help attackers hide their identity by adding another machine
between victim and attacker.
Also new are built-in CGI scripting utilities that allow attackers to remotely and automatically post the addresses of vulnerable systems on the Web.
SubSeven 2.2 has added the ability to let the attacker be notified through IRC, ICQ and e-mail. It can also log keystrokes and send the log as an
Also built-in are features that help to fool Web users into revealing their
passwords, such as fake login screens for programs such as ICQ.
Staff writer Samuel Quek reported from Asia.