Few months ago, in May 2016 the experts from the company “Doctor Web” have discovered a new Trojan BackDoor.TeamViewer.49, which was installing the TeamViewer app on the infected computers and used it as a proxy. Now the company says that the “brother” of this malware has appeared called BackDoor.TeamViewerENT.1 (also known as Spy-Agent) is also used in the legal components of TeamViewer.
This family of Trojans has been known since 2011, and the authors regularly release new versions of malicious programs, developing their own “product”. Experts write that BackDoor.TeamViewerENT.1 by architecture resembles BackDoor.TeamViewer.49, which is in turn composed with several modules. But while the Trojan found in May only used TeamViewer to load into the memory of the victim’s machine some malicious libraries, the new TeamViewer uses a backdoor to spy.
General malicious functions of the malware are concentrated in avicap32.dll library, and settings are stored in an encrypted configuration block. In addition to the specially created malicious attackers’ library Trojan saves necessary for operation of TeamViewer files and folders, as well as several additional files-modules. Thus, the attackers exploiting legitimate opportunities of Windows: if the application requires loading a dynamic link library, the system will first try to find a file with the same name in the same folder where the program is stored, and only after – will search in Windows system folder. Thus, since the TeamViewer application really needs avicap32.dll library, which is stored by default in one of the Windows system directories. Malware keeps malicious library with the same name directly in a folder with a legitimate executable TeamViewer, causing the system to load into memory a Trojan library instead of legitimate one.
After launching the Trojan, it disables the display of error events for TeamViewer process, also hides its own files and intercepts in the memory of TeamViewer process invocation of various application and system functions. If you remove any of malicious files, the Trojan will easily download them back again from the remote server. Additionally, if BackDoor.TeamViewerENT.1 detects an attempt to start the Windows Task Manager and Process Explorer, it kills the TeamViewer process on the infected machine. Once connected to the remote cyber criminals’ server, the backdoor can perform various malicious commands, including start listening to the sound from the microphone, watching via webcam, download, save and run files, connect to specified remote host, run commands via cmd.exe, update config files and many more. Basically the infected computer will be in total control by cyber criminals.
These commands open up wide opportunities for the attackers to spy on the infected users, steal confidential information. In particular, it is known that with the help of this Trojan cyber criminals have been installing Trojans from the family of Trojan.keylogger and Trojan.PWS.Stealer on the infected computers.
It is recommended to keep your computer protected with antivirus and firewall. Always update your system and anti-virus software to the latest versions. Trojan BackDoor.TeamViewer.49 can be easily detected by most of the up to date antivirus software.