HighCheck or Attack Name: SubsevenBackdoor
SubSeven is a backdoor for Windows 9x that allows an attacker to access an affected machine without being detected. Machines with this backdoor can be completely controlled by an attacker from remote.
In your registry, find the keys in HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices for entries that should not be there. Typical entries that should be in Windows98 are: LoadPowerProfile and SchedulingAgent. By default, SubSeven uses a key called KERNEL16, with a value of KERNEL16.DL. The filename and registry key used by SubSeven to start at boot time is easily configurable.
SubSeven Home Page, SubSeven Backdoor, http://come.to/subseven
ISS Security Advisory #30, Windows Backdoor Update III, http://xforce.iss.net/alerts/advise30.php3
