Make your own free website on


ip toolz
Anti Virus Software
Key Loggers
Binary and other decompilers
sub7 help
Sub7 Frequently Asked Questions
sub7 Support

sub7 help

NEW RELEASE!!!! AK47 Released october 1'st 2007 (this trojan is undetected by virus scanners!!!) Click here to get AK47


Subseven 2.1.x tutorial

I chose 2.1 version because it has been the most stable version till 02/08/2002.
If you don't know what Subseven is, I'll explain briefly about it here : Subseven is a R.A.T, aka Remote Admin Tool.
You can use it to have full access to any system running MS Windows by executing a file called server.exe on it.

In this version we have only 3 files to explain about :

(Subseven.exe) which is the client, or what you will use to control the target machine

(Edit server.exe) that's what you will use to configure your server.exe to suite whatever you want.

(Server.exe) and this is what you want to run on the target machine, not on yours!!!

SubSeven Client :


SubSeven 2.1.4 AKA DEFCON8.
The current most stable version. Basically, click on the section you need help with; I hope everything will be understandable and clear. You need to a have a little bit experience with s7's client because I am not going to explain every single thing. If you want to get a brief explanation about something just MouseOver it.

SubSeven Client supports all versions of Windows. You could use it under 9x, NT, 2k or XP. If you are having problems with XP, you have to do the following to fix some error problems.
1- Select your client executable or subseven.exe
2- Right click on it, then properties.
3- Click on Compatibility tab and check "Disable visual themes".
4- Select Run This program compatable for Windows 98/ME.

If you want to know more about the credits, click on the subseven icon in upper left, and if you want to get the latest news about subseven, click on read latest news. Finally, our status bar will be useful for us when we want know if the victim is connected or not. ( idle - ready for action ) that's what it says now.

Main Menu here :

I put this section here because its very simple and short and you are supposed to know how to deal with it.
1- You have to enter the IP address or ICQ uin to connect to a victim. If you dont know what an IP is, click here.
2- If you configured the server using editserver, you are supposed to know which port you used there.
3- Got static IP victims ? Click on the address book to save them.
4- Finally, the part that I am going to give you more explaination about. It will be the ip tools at the upper right near the " X ".

If you got your victim's host name or ICQ uin, you could use this tool to get the real IP. Just enter the hostname or the uin and resolve.


EditServer :

Subseven 2.1.4 Defcon Edit Server
This is the utility used to customise your servers to your own preferences. Click on the image in the area you need help with to view help. As before, in the client section, I hope everything will be easy for you to understand.


1-Start Up Methods

2-Notification Online
Notification methods include:

  • ICQ Notification
  • IRC Notification
  • E-Mail Notification


  • Port settings
  • Server password
  • Protect server port and password
  • IRC Bot
  • Server name
  • Melt server
  • Enable fake error message
  • Bind server

4-Protect server

5-Saving options

  • Save new settings
  • Save new copy of server with new settings
  • Quit without saving

Intro :-

This section will show you some basic info about making your server.exe undetected and infecting other people using server.exe

Words you need to know :

  1. Packer or Compressor - program used to "pack" or "compress" a file, which would decrease it in size.
  2. Binary - Any file that is not a text file, this word is most commonly used to describe executables, but jpeg files can also be described as binary.
  3. (Detected) String or Signature - a piece of information in a file that the AV searches for to see if the file is a virus or not
  4. AV - Anti Virus software like McAfee, Norton, Kaspersky, or any other program claims to be able to detect and clean viruses
  5. Vic - person you have infected, or are trying to infect, given this name cause its short for VICTIM (obviously)
  6. Uploader - Mini-Trojan that has a very small server size and can be used to download a much bigger Trojan without the victim knowing.

How to Make a server Undetected :


1)Getting a hold of an UNCOMPRESSED copy of a server, and then yourself, compressing it its always good to compress it yourself as to heighten the chances of it being undetected. Especially if you use a lesser known packer, other than UPX seeing as how the UPX binary signature it leaves is very common among most servers, so the detected string has a better chance of being better encrypted in a lesser known way with an un-popular packer. The UPX encrypted server is no doubted in any AV's database.

2) Binding the server to another file, preferably another EXE which would make the detected string more difficult to find with AV. Its possible to bind to a .JPG, but the result file would still need to have .EXE extension, or any other type of executable binary file extension for example: *.com or *.scr, and there's many more to be found by you...RESEARCH!

3) Binding the server to multiple files, which would also lessen the probability of the detected string being found by AV by incorporating the signatures of many other files, and this can hopefully "trick" the victim's AV.

4) Its recommended that you use an UPLOADER Trojan, because usually their server size is very very small, and they're much easier to use when binding with other files and not have the result file be too big as to tip off the victim of it being a virus. Its also much easier to compress these uploader servers and make them not only so much smaller, but also undetected. good things :)

5) The next way is a very complicated method, and i wont go into it in detail here but just to whet your thirst for the idea, I'll explain a little. You can hex edit a server, and search for the detected string in the server and remove it. To take this idea to the next level you will need a hex editor, a SPLICER (program used to split files into smaller multiple parts), an uncompressed server and a reference telling you what string to look for, or you can look for it yourself. you should be able to splice the server into a bout 10-100 or more 2KB files, with these files, you should virus scan each one of them, and find out which one sets off the AV alarm, in this file is the virus signature, and you should match what you find inside this file with the same contents in the unspliced server. If you browse the web enough,you should be able to find out more information for this method. Good Luck.

Infection Methods by !happykl0wn (edited by FuX0reD) :

1) edit the server and rename it something like: "pic.jpg_____________________.exe" (use spaces instead of _) and then send it through AIM file transfer (not direct connect)... this method works especially well on ICQ file transfers...

Now if your server is should be great to go.

2) I've found that blatantly lying to people works great too... I told someone I would send them a animation with monkeys playing guitar, but that I was really playing guitar and I made it look like the monkeys were. When u do this you should edit the server with the icon that looks like a video camera (whatever works, you know?)...and a error message with something like "File msdll video codec was not found"

3) Pretending to have warez on IRC can also get your way into someone's PC. This method works good because of all the warez fuss going on about IRC these days.

Most these methods are included above in the Undetected section, but these can also be useful, the main one is number 2 :), and remember, any of these can also be used against you in an effort to infect j00r ass.