Most of this page uses content from Wikipedia. The original article was at Sub7. The page may have contained some inaccurate or outdated information, so please edit it so it contains better information.
The list of authors can be seen in the page history. As with Malware Wiki, the text of Wikipedia is available under the Creative Common Attribution-ShareAlike 3.0 License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.
Sub7, or SubSeven or Sub7Server is a trojan and a Remote Administration Tool. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven".
Sub7 v2

Sub7 v2.15 (Download Link Broken)

Sub7 Demo


It was originally designed by someone with the handle 'mobman'. No development has occurred in several years until a new version scheduled for release on Feb. 28th, 2010. The Sub7 project was dormant for over 6 years until its return in July 2009 when mobman and fc revived the project, marking 10 years after its original creation in 1999. In October 2009 mobman informed fc and the sub7crew via IRC that due to working and going to college full time that he will not be able to help with the current development of Sub7.


Like other remote admin programs, Sub7 is distributed with a server and a client. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a GUI that the user runs on their own machine to control the server/host PC.

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging.

Version 2.3

SubSeven 2.3 was released on March 9, 2010 after over 11 years since SubSevens initial creation by mobman, and 6 years since the last release 2.1.5 that is now unable to run on modern computers XP/Vista/Windows 7. Version 2.3 was released by Read101 with rumours of mobmans blessing and backing of the continuation of the SubSeven project.

SubSeven 2.3 has been revamped to work on all 32bit and 64bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients.

Further Information

SubSeven has been used to gain unauthorized access to computers. While it can be used for making mischief (such as making sound files play out of nowhere, change screen colors, etc.), it can also read keystrokes that occurred since the last boot—a capability that can be used to steal passwords and credit card numbers.

In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm Symantec that was used to trick recipients into downloading Sub7.

Nearly all antivirus programs can detect Sub7 and prevent it from being installed.