Ok... so I got a copy of Subseven infecting my machine... fortunately I believe it is blocked by my Firewall from sending its mail notification to the infecTOR... it's identified fully by TDS-3 as SubSeven 2.2 (no beta specifications, though, so I assume its pure SS2.2) I've been searching the internet for FEW HOURS for the SubSeven Server Sniper that I've heard of for years... I keep getting referals to Diamond CS 's website for their SubSeven Server sniper for SS2.2. however... the site doesn't seem to have the link up and I can't find it... I'M LOOKING TO SNIPE THIS SERVER...ANYONE KNOW WHERE TO FIND THE SNIPER FOR IT...?
Thank-you,
Corey

Hi Corey,

Since you have TDS3 installed, the way to go seems getting rid of this nastie using TDS3 ;).

The DCS sniper is no longer available for quite a while now, as far as know.

regards.

paul

Yeah, well... I'd like to... but I can't figure out how to get TDS-3 to remove it....! It seems to just be a Trojan Identification Suite...!
Any idea how to get it to uninstall the Trojan? And where the hell did the Sniper go?! I saw a posting on a website claiming to be from DiamondCs and they were saying how they had cracked the newest version 2.2 of SubSeven and had a sniper available... where'd it go?! Nutz... well... I need to get rid of it... Can't seem to figure out how to get TDS to ACTUALLY remove it... help...
thanx...
Corey

I don't have TDS so I can't help. But you could try posting in the TDS forum here where it may be more likely to come to someone's attention who can help you.

Correction: I can delete the files that TDS identifies... but I would like to properly remove it ... aka registry entries.. win.ini entries... etc... plus... I'd also like to snipe the bastard... I know about spoofs and comandeering others machines... so I'm not planning to run amok on the net... perhaps just honey pot him or something... I KNEW what it was when I opened it... its just that I didn't realize that there are no SNIPERS for version 2.2... I had more than a blanket (TDS-3, Reg Prot, Outpost Firewall, Spybot, TCPView, plus my trusty "Phone-Cord-Pulling-Right-Hand") to block it from allowing him access... but I'd like to PROPERLY remove it... and SNIPE it first if able... It has been able to access a DNS server to identify what I am assuming to be my machines current IP... but the firewall blocks its attempt to mail out to a hotmail account... and there are no live connections... just dynamic ports which randomly change everytime the program runs anew. Oh well... you get me... I'm gonna keep workin on the thing... but eventually I'll be two to four years learning how to do what DCS has already done... I want the sniper... LOL
Corey

Hi Corey,

actually your question would be a nice thread in the TDS-3 forum. Why are you searching for Subseven Server Sniper, when you have TDS-3? TDS-3 isn't just a Trojan Identification Suite. You don't know the power you have with this tool yet. ;D

You don't need Subseven Server Sniper for tracing this guy. You have TDS-3 with which you can perform this action! ;D Ever looked at the Network tools they included like TCP Connect, TCP Port Listen,... Nice tools to build up a connection with this subseven server...

If you need further help with those, start a thread in the TDS-3 forum! ;)

Best regards,

Patrice

Hi Corey, sorry to hear about your infection and the frustrating searching for the sniper!
And i was not around a few hours cleaning out my system (just normal housekeeping the files, no infections) and you in this big need! sorry!
Indeed, the sniper does excist but no longer for public (i suppose for security reasons); the one on the website was for older S7 versions i guess.
The TDS lab is able to snipe it out for you, for which they have a service, since they have been rebuilding (and still are) their web sites i can't find a link/description to this at the moment. Guess if you reallyu want to know who sent you the nasty and which is it's payload, sender, etc you best contact wayne@diamondcs.com.au or support@diamondcs.com.au
I would like to know as well where and how so you can properly complain by the right abuse department with the proof at hand.

In the meantime waiting DCS answer, you might like to create a folder in TDS-3 which you might like to name ScanAlerts (so you can easily find it back) and move the nasties inside and zip them, so they can't harm your system in the meantime while waiting for DCS's answer.
Having such a folder is very handy, i move suspicious emails and all alerts inthere (or at least copy) so i can scan that whole folder at a time plus i know if they are inthere all is well, if outside it needs further attention.

Fingers crossed for a positive answer for you!

Oh ehhh Corey, did you say you prefer to have it running and look in the TCP Port listen set on port 27374 for packets? Or the traffic bridge?
Do you also have Port Explorer to spy on the packets?
And did you look in the AutostartViewer if it added autostart registry keys?
And of course in the TDS autostart explorer and Process Lists, netstat,........
TDS you have, Screx activated, as a most wonderful emulator?
You do have several possibilities but CAREFULL please!

Hi,

You can find a SUB7 cleaner here. http://www.kittanning-pa.com/downloads.html

SmackDown

Hi Corey,

If you have a registered copy of TDS, you can load the very good "SCREX" SS3 script that Andreas wrote. This includes a SubSeven emulator (which can emulate different versions) which will warn you when your "counterpart" tries to connect. Once this happens you can use some of the screx-defined commands against him.

Hehhh, rereading my own messages --i was so very sure i had mentioned that Screx!-- i see i did not (probably in another message recently) so i'm glad you added this Dan!
Even though you don't need to keep the infection for that on your system, Screx will act as if you have and so will the network functions, while Screx has commands like Dan mentioned.

IIRC,
S7Sniper was for S7 v2.1 or older, so it couldn't be used against your thingy. TDS has "extensions" that can be activated that allow similar things as the snipers used to do, but i'm not sure they can handle 2.2.
So, if you really want to know the internal configuration of your server you either have to analyse it yourself or send it to dcs.
To remove it, you can use TDS or the S7 cleaner that's been posted above (although i don't know that one).
Finally if you're feeling adventurous, you can use a firewall or PE to spy on the info that the server tries to send. Probably you can set up a configuration so that the server sends its "infection successful" message to one of your machines and maybe then you can replay that against the original attacker. Best with TDS used as a Sub7 emulator - but here again, the emulator included in Screx is for an older version. I think Jazzie once has started to write a S72.2 emu. You could search for it in DCS's ss3 forum (if you're a registered user).

HTHH,
Andreas

Disregard my previous entry, there were mistakes in it. D-Tech2K_Serial_Hacker™

your best bet is that the server is (in whole, or in part) your explorer file, used to launch windows explorer.

Do the following:

Close all programs.
type: cmd [ENTER]
type: CLS [ENTER]
type: dir \explorer.scf /s [ENTER]
WRITE DOWN THE LOCATION OF THE FILE
type: CLS [ENTER]

type: TYPE [location & \FileN.ame]
eg: C:\> TYPE C:\windows\explorer.scf
If you see anything other than the following:

[Shell]
Command=2
IconFile=explorer.exe,1

TaskBar=Explorer

type: ren [location & \FileN.ame] FileN.bak
eg: C:\> ren C:\windows\explorer.scf explorer.bak

type: EDIT [ENTER]

Go to: File>Open

Select explorer.bak, and click [OK]

Delete everything but the following:

[Shell]
Command=2
IconFile=explorer.exe,1

TaskBar=Explorer

Go to: File>[Save as...] not [Save]

type: [original file name]
eg: FileN.ame

click [OK]

Go to: File>[Exit]

type: EXIT if you are in windows
or
type: WIN to start windows

If this dose not solve your problem

go back to DOS

type: del [location & \FileN.ame]
eg: C:\> del C:\windows\explorer.scf

type: ren [location & \FileN.bak] FileN.ame
eg: C:\> ren C:\windows\explorer.scf explorer.bak

type: EXIT, or WIN

then email me: dtech2000@yahoo.com

This is a message displayed in my TDS-3 Control Console: "10:25:44 [Tip Of The Day] Distributed Denial-of-Service Remote Access Trojans (DDoS.RAT) represent a new breed of trojan. The first major Windows threat was WinTrinoo - DiamondCS have released a Server Sniper to prevent WinTrinoo attacks from occurring to your Windows systems - http://www.diamondcs.com.au". However, I can't find any references to this on the DCS website!! I'm just curious what this is all about. I'm not infected, but you never know when someday I will be.

Yeah this thread has surely been dead for a while but I thought it might be a courtesy to google searchers.
You can download the Sub Seven Server sniper from http://www.sac.sk/files.php?d=1&l=S. The file will show up AS a trojan in both AVG and Norton, but I personally emailed Diamond CS and they replied it most certainly is not. Use at your own risk. I d/led it about a year ago and it seemed to work fine on a non AV installed computer, but I can't get the file to work now, I have AVG currently and I'm getting a weird permission error when I try to launch even though I'm admin on my comp. Hope this helps someone.

If you've been infected with a Sub7 server feel free to email it to support(at)diamondcs.com.au and we'll extract the encrypted information out of it for you.