A backdoor program used mainly for the Windows environment, SubSeven allows an attacker to retrieve saved and cached passwords (and decrypt some of them), modify registry settings and files from a remote system.
Once resident on an infected computer, the software copies itself to the Windows directory with the original name of the file from which it was run. It then unpacks a DLL (dynamic link library) to the Windows system directory and edits the Windows Registry so that SubSeven will run every time Windows boots up.
It also sniffs packets on a network, and has the ability to connect to a random port, making it harder to detect.
The new features to the trojan include the ability for an attacker to disguise their identity by connecting from an alternate IP address via SOCKS4/5 proxy support. The proxies help attackers hide their identity by adding another machine between victim and attacker.
Also new are built-in CGI scripting utilities that allow attackers to remotely and automatically post the addresses of vulnerable systems onto the web for distribution.
SubSeven 2.2 has added the ability to let the attacker by notified through IRC, ICQ and email. It can also log keystrokes and send the log as an undetected email.
Also built-in are features that help to fool users into revealing their passwords, such as fake log-in screens for programs like ICQ.