THREAT REMOVAL

Security researchers at Dr.Web have reported a new Trojan, dubbed BackDoor.TeamViewer.49. According to the security firm, the threat is designed to install TeamViewer on targeted systems. Why is BackDoor.TeamViewer.49 doing that? To transmit web traffic to specific servers through using the host as a proxy server. The Trojan was discovered and analyzed just recently, and its distribution process is quite complex and multi-stage.

Threat Summary Name BackDoor.TeamViewer.49 Type Backdoor Trojan Short Description The Trojan is used to relay Web traffic and hide the cyber criminals’ real IP address. Symptoms The victim installs a malicious Flash update package. Distribution Method Via a Trojan dropper and a malicious Flash update package. Detection Tool See If Your System Has Been Affected by malware Download Malware Removal Tool User Experience Join Our Forum to Discuss BackDoor.TeamViewer.49.

Technical Specifications of BackDoor.TeamViewer.49

Dr.Web reports that the Trojan is spread with the help of a Trojan dropper – Trojan.MulDrop6.39120. Softpedia says that the Trojan’s initial infection takes place via a corrupted Adobe Flash update package. In fact, Trojan.MulDrop6.39120 is spread online bundled with the Flash package. Once the potential victim installs the Flash update, the Trojan dropper is installed along with the TeamViewer app.

Contrary to what you may think TeamViewer is dropped for – taking over the compromised computer, obtaining sensitive information – it’s used for something else.

Cyber criminals replace TeamViewer’s avicap32.dll with a malicious version containing BackDoor.TeamViewer.49.

The Trojan’s main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.

Once TeamViewer is set and running, BackDoor.TeamViewer.49 connects to a command & control server using an encrypted channel, and awaits instructions. According to Dr.Web’s research, the analyzed versions mainly operate as a Web proxy, relaying traffic it receives from the command server to the Internet. This is how cyber criminals mask their real IP address.

Dr.Web also reports that the Trojan can execute the following commands received over HTTPS:

disconnect—terminate the connection;

idle—maintain the connection;

updips—update the auth_ip list with the one specified in the command received;

connect—connect to the specified host server. The command must consist of the following parameters:

ip—host server’s IP address;

auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established;

auth_ip—IP authentication;

auth_login—login;

auth_pass—password.

How Can Users Protect Their PCs from BackDoor.TeamViewer.49?

As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely.

Milena Dimitrova An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim More Posts Follow Me:



Download (MAC) Malware Removal Tool See If Your System Has Been Affected by Malware. Please note that Disk Cleaner, Big Files Finder and Duplicates Scanner features are free to use. Antivirus, Privacy Scanner and Uninstaller features are paid. Read Combo Cleaner’s EULA and Privacy Policy

Download (MAC) Malware Removal Tool Get a free scanner to see if your MAC is infected. SpyHunter for MAC free remover allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read EULA and Privacy Policy