Security researchers at Dr.Web have reported a new Trojan, dubbed BackDoor.TeamViewer.49. According to the security firm, the threat is designed to install TeamViewer on targeted systems. Why is BackDoor.TeamViewer.49 doing that? To transmit web traffic to specific servers through using the host as a proxy server. The Trojan was discovered and analyzed just recently, and its distribution process is quite complex and multi-stage.
|Short Description||The Trojan is used to relay Web traffic and hide the cyber criminals’ real IP address.|
|Symptoms||The victim installs a malicious Flash update package.|
|Distribution Method||Via a Trojan dropper and a malicious Flash update package.|
|Detection Tool|| See If Your System Has Been Affected by BackDoor.TeamViewer.49 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss BackDoor.TeamViewer.49.|
Technical Specifications of BackDoor.TeamViewer.49
Dr.Web reports that the Trojan is spread with the help of a Trojan dropper – Trojan.MulDrop6.39120. Softpedia says that the Trojan’s initial infection takes place via a corrupted Adobe Flash update package. In fact, Trojan.MulDrop6.39120 is spread online bundled with the Flash package. Once the potential victim installs the Flash update, the Trojan dropper is installed along with the TeamViewer app.
Contrary to what you may think TeamViewer is dropped for – taking over the compromised computer, obtaining sensitive information – it’s used for something else.
Cyber criminals replace TeamViewer’s avicap32.dll with a malicious version containing BackDoor.TeamViewer.49.
The Trojan’s main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.
Once TeamViewer is set and running, BackDoor.TeamViewer.49 connects to a command & control server using an encrypted channel, and awaits instructions. According to Dr.Web’s research, the analyzed versions mainly operate as a Web proxy, relaying traffic it receives from the command server to the Internet. This is how cyber criminals mask their real IP address.
Dr.Web also reports that the Trojan can execute the following commands received over HTTPS:
- disconnect—terminate the connection;
- idle—maintain the connection;
- updips—update the auth_ip list with the one specified in the command received;
- connect—connect to the specified host server. The command must consist of the following parameters:
- ip—host server’s IP address;
- auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established;
- auth_ip—IP authentication;
How Can Users Protect Their PCs from BackDoor.TeamViewer.49?
As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely.
Manually delete BackDoor.TeamViewer.49 from Windows
Note! Substantial notification about the BackDoor.TeamViewer.49 threat: Manual removal of BackDoor.TeamViewer.49 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.