Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: fix18.txt

Fixing SubSeven 1.8 BKI:




HackFix - SubSeven - Fix v1.8

NOTE: You should print this page for reference before starting.

Sub7 1.8 now includes a configure application which the hacker can use to
modify how the server works. Unfortunately if any of these values are
changed from defaults, it can become very hard to detect if your infected
as well as how to remove it.
The default name of the server and its location is C:\windows\kerne132.dl
Please note that this is (Letters) kerne, (Numbers) 132, .dl (not .dll)
This can be changed to make it very hard to find.

The hacker can also choose One of four methods to have the server restart
with windows.
Registry line, either in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -or-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Run= line in c:\windows\win.ini (as above on 1.5) or (The default and most
easily tracked method) is to edit a line in your c:\windows\system.ini.
This particular line usually reads shell=explorer.exe and is what loads the
windows kernel. When infected in this way, the line will read
shell=explorer.exe kernel32.dl or similar.
Using this default method, the server name can easily be obtained.

Removal consists of rebooting the computer in MS-DOS mode (From the Start
-> shutdown menu) and manually removing the server: del kerne132.dl in the
windows dir.

If this is not the name of the server, you should look in your system.ini
file to see if the shell line is loading any other files. (99.9% of the
time the shell=explorer.exe should Never be changed.)

If the server name has been changed And the server is not loaded via
system.ini, then you will need to play detective to find the server name.
First look in c:\windows\win.ini for any lines starting with run= or load=
(they will be at the top)
If any exist and they dont look familiar, and either point to a file in
c:\windows, or dont have a path, this may be the trojan.

The other place to look is in Regedit, in the keys listed at the beginning
of this note. Look for lines that do not look familiar or right, and see if
any dont list a pathname to a file.

After deleting the server through MS-DOS mode, it will be unable to start,
however if using win.ini or system.ini to load, you will see an error
entering windows that it cannot find the file you just deleted. This is ok,
and you can dismiss the error window.
In system.ini, make sure the shell=explorer.exe line has nothing after it
(delete anything at the end of that line and save, however dont edit any
other lines in this file.)
In win.ini, remove the line load= or run= that is calling the server, and
save.

After the server is deleted from dos and you re-enter windows, you should
be uninfected!


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH