Sub7, Subseven

Sub7, or SubSeven or Sub7Server, is a remote administration tool/trojan program (RAT—where the "T" can have a dual meaning in this case).[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven".
Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts.
Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows XP

It was originally designed by someone with the handle 'mobman'. No development has occurred in several years until a new version scheduled for release on Feb. 28th, 2010. The Sub7 project was dormant for over 6 years until. In October 2009 mobman was alleged to have stated via IRC that due to working and going to college full-time that he will not be able to help with Sub7.

In 2006 a website ( / ( with hundreds of thousands of users kept the sub7 alive with clean downloads and support and new software. A new version was created by defcon but not released that only a hand full of people knew about and used well.

SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients.

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging.
According to a security analysis,[8] Sub7's server-side (target computer) features include:
sound files from a microphone attached to the machine
images from an attached video camera
screen shots of the computer
retrieving a listing of recorded and cached passwords
taking over an ICQ account used on the target machine (back then the most popular messaging service); added in version 2.1. This included the ability to disable the local use of the account and read the chat history
features which were presumably intended to be used for prank or irritating purposes including:
changing desktop colors
opening and closing the optical drive
swapping the mouse buttons
turning the monitor off/on
"text2speech" voice synthesizer which allowed the remote controller to have the computer "talk" to its user
penetration testing features, including a port scanner and a port redirector