Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


BackDoor.TeamViewer.49 Installs via a Flash Update, Uses TeamViewer

warning-trojan-BackDoor.TeamViewer.49

Security researchers at Dr.Web have reported a new Trojan, dubbed BackDoor.TeamViewer.49. According to the security firm, the threat is designed to install TeamViewer on targeted systems. Why is BackDoor.TeamViewer.49 doing that? To transmit web traffic to specific servers through using the host as a proxy server. The Trojan was discovered and analyzed just recently, and its distribution process is quite complex and multi-stage.

Threat Summary

NameBackDoor.TeamViewer.49
TypeBackdoor Trojan
Short DescriptionThe Trojan is used to relay Web traffic and hide the cyber criminals’ real IP address.
SymptomsThe victim installs a malicious Flash update package.
Distribution MethodVia a Trojan dropper and a malicious Flash update package.
Detection Tool See If Your System Has Been Affected by BackDoor.TeamViewer.49

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BackDoor.TeamViewer.49.

Technical Specifications of BackDoor.TeamViewer.49

Dr.Web reports that the Trojan is spread with the help of a Trojan dropper – Trojan.MulDrop6.39120. Softpedia says that the Trojan’s initial infection takes place via a corrupted Adobe Flash update package. In fact, Trojan.MulDrop6.39120 is spread online bundled with the Flash package. Once the potential victim installs the Flash update, the Trojan dropper is installed along with the TeamViewer app.

Contrary to what you may think TeamViewer is dropped for – taking over the compromised computer, obtaining sensitive information – it’s used for something else.

Cyber criminals replace TeamViewer’s avicap32.dll with a malicious version containing BackDoor.TeamViewer.49.

The Trojan’s main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.

Once TeamViewer is set and running, BackDoor.TeamViewer.49 connects to a command & control server using an encrypted channel, and awaits instructions. According to Dr.Web’s research, the analyzed versions mainly operate as a Web proxy, relaying traffic it receives from the command server to the Internet. This is how cyber criminals mask their real IP address.

Dr.Web also reports that the Trojan can execute the following commands received over HTTPS:

  • disconnect—terminate the connection;
  • idle—maintain the connection;
  • updips—update the auth_ip list with the one specified in the command received;
  • connect—connect to the specified host server. The command must consist of the following parameters:
  • ip—host server’s IP address;
  • auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established;
  • auth_ip—IP authentication;
  • auth_login—login;
  • auth_pass—password.

How Can Users Protect Their PCs from BackDoor.TeamViewer.49?

As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely.

Manually delete BackDoor.TeamViewer.49 from Windows

Note! Substantial notification about the BackDoor.TeamViewer.49 threat: Manual removal of BackDoor.TeamViewer.49 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Remove or Uninstall BackDoor.TeamViewer.49 in Windows
2. Fix registry entries created by BackDoor.TeamViewer.49 on your PC

Automatically remove BackDoor.TeamViewer.49 by downloading an advanced anti-malware program

1. Remove BackDoor.TeamViewer.49 with SpyHunter Anti-Malware Tool
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.