SubSeven typically infects computers by posing as an innocuous e-mail attachment. The program allows an attacker to retrieve saved and cached passwords and decrypt some of them, to modify registry settings, and to manipulate files from a remote system.
Once resident on an infected computer, the software copies itself to the Windows directory with the original name of the file from which it was run. It then unpacks a DLL (dynamic link library) to the Windows system directory and edits the Windows Registry so that SubSeven will run every time Windows boots up.
New features in the virus include the ability for attackers to disguise their identity by connecting from an alternate IP address via proxy support. The proxies help attackers hide their identity by adding another machine between victim and attacker.
Also new are built-in CGI scripting utilities that allow attackers to remotely and automatically post the addresses of vulnerable systems on the Web.
SubSeven 2.2 has added the ability to let the attacker be notified through IRC, ICQ and e-mail. It can also log keystrokes and send the log as an undetected e-mail.
Also built-in are features that help to fool Web users into revealing their passwords, such as fake login screens for programs such as ICQ.
Staff writer Samuel Quek reported from Asia.