MALWARE-BACKDOOR -- Snort has detected suspicious communication traffic unrelated to commands, such as exfiltration of data from the infected machine, especially larger chunks of data.
MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
This event indicates that network activity relating to the Trojan Horse program Subseven 2.1 Gold has been detected. This software offers complete control of the infected host. Impact: Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Other versions are capable of launching DDoS attacks. Details: This Trojan affects the following operating systems: Windows 95 Windows 98 Windows ME No other systems are affected. This is a windows executable that makes changes to the system registry, Win.ini and System.ini. When first executed the Trojan listens on either port 27374 or port 1243. Subseven is an improved version of the Netbus Trojan (see sids 114, 115), Subseven 2.1 Gold is an improved version of Subseven that affects Windows 95 and 98 implementations. The Trojan changes system startup files and registry settings to add the Subseven server to programs normally started on boot. Ease of Attack: This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
No information provided
No public information
No known false positives
Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
