BackDoor.TeamViewer.49 Installs via a Flash Update

BackDoor.TeamViewer.49 Installs via a Flash Update, Uses TeamViewer


with Combo Cleaner

Scan Your System for Malicious Files
Note! Your system might be affected by BackDoor.TeamViewer.49 and other threats
Threats such as BackDoor.TeamViewer.49 may be persistent. They tend to re-appear if not fully deleted. A malware removal tool like Combo Cleaner will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
Combo Cleaner’s scanner is free but the paid version is needed to remove the malware threats. Read Combo Cleaner’s EULA and Privacy Policy.


Security researchers at Dr.Web have reported a new Trojan, dubbed BackDoor.TeamViewer.49. According to the security firm, the threat is designed to install TeamViewer on targeted systems. Why is BackDoor.TeamViewer.49 doing that? To transmit web traffic to specific servers through using the host as a proxy server. The Trojan was discovered and analyzed just recently, and its distribution process is quite complex and multi-stage.

Threat Summary

TypeBackdoor Trojan
Short DescriptionThe Trojan is used to relay Web traffic and hide the cyber criminals’ real IP address.
SymptomsThe victim installs a malicious Flash update package.
Distribution MethodVia a Trojan dropper and a malicious Flash update package.
Detection Tool See If Your System Has Been Affected by BackDoor.TeamViewer.49


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BackDoor.TeamViewer.49.

Technical Specifications of BackDoor.TeamViewer.49

Dr.Web reports that the Trojan is spread with the help of a Trojan dropper – Trojan.MulDrop6.39120. Softpedia says that the Trojan’s initial infection takes place via a corrupted Adobe Flash update package. In fact, Trojan.MulDrop6.39120 is spread online bundled with the Flash package. Once the potential victim installs the Flash update, the Trojan dropper is installed along with the TeamViewer app.

Contrary to what you may think TeamViewer is dropped for – taking over the compromised computer, obtaining sensitive information – it’s used for something else.

Cyber criminals replace TeamViewer’s avicap32.dll with a malicious version containing BackDoor.TeamViewer.49.

The Trojan’s main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.

Once TeamViewer is set and running, BackDoor.TeamViewer.49 connects to a command & control server using an encrypted channel, and awaits instructions. According to Dr.Web’s research, the analyzed versions mainly operate as a Web proxy, relaying traffic it receives from the command server to the Internet. This is how cyber criminals mask their real IP address.

Dr.Web also reports that the Trojan can execute the following commands received over HTTPS:

  • disconnect—terminate the connection;
  • idle—maintain the connection;
  • updips—update the auth_ip list with the one specified in the command received;
  • connect—connect to the specified host server. The command must consist of the following parameters:
  • ip—host server’s IP address;
  • auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established;
  • auth_ip—IP authentication;
  • auth_login—login;
  • auth_pass—password.

How Can Users Protect Their PCs from BackDoor.TeamViewer.49?

As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely.

Note! Your computer system may be affected by BackDoor.TeamViewer.49 and other threats.
Scan Your MAC with Combo Cleaner
Combo Cleaner is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as BackDoor.TeamViewer.49.
Keep in mind, that Combo Cleaner needs to purchased to remove the malware threats. Click on the corresponding links to check Combo Cleaner’s EULA and Privacy Policy.

Manually delete BackDoor.TeamViewer.49 from your Mac

1. Uninstall BackDoor.TeamViewer.49 and remove related files and objects
2. Remove BackDoor.TeamViewer.49 – related extensions from your Mac’s browsers

Automatically remove BackDoor.TeamViewer.49 from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as BackDoor.TeamViewer.49, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.


Combo Cleaner

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share