Defend what you create

Mehr

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support
Support 24/7

Schreiben Sie uns

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

BackDoor.TeamViewer.49

Added to Dr.Web virus database:2016-05-06
Virus description was added:2016-05-26

SHA1:

  • 9649ef7b594794daaf02da08c3b95a9f2f71149b (avicap32.dll)
  • 4884d44e2b4c2e2a65472068ef748f51385b13de (payload)

A Trojan for Microsoft Windows that is spread by Trojan.MulDrop6.39120. The Trojan's main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.

When running, the Trojan removes the icon of TeamViewer from the Windows notification area and disables error reporting. BackDoor.TeamViewer.49 also intercepts calls for some system functions to hide the TeamViewer window.

The Trojan determines the value of the HKLM\Software\Microsoft\Cryptography\MachineGUID system registry parameter and calculates MD5. The result of the calculation is the RC4 key and a name of the mutex that is used to control restart of the Trojan. In addition, the backdoor generates a global RC4 key using one of the TeamViewer functions.

BackDoor.TeamViewer.49 uses the configuration file named nv8moxflu that is located in the same directory as the Trojan itself. The first byte of the configuration file is a flag that specifies the encryption algorithm: if the byte equals to 1, the global key is used; if it is 0—the local one. Other information is encrypted with RC4. The configuration file of the examined sample looks as follows:

Section {Main}
       szsubKey "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
       szvalueName "5s"
       szpgkey "rtpredimpku0hrq1le0d4cwqw7pcl97dv"
       szadminkey "i9igmhtliih115b5xlbpcwwc17qlbhse4"
SectionEnd

To decrypt other code blocks, the backdoor uses the MD5 value obtained from the “szadminkey” parameter. Then it parses the “Main” section of the configuration file, retrieves all parameters, and replaces the original file with its copy encrypted with the local key.

The Trojan launches a separate thread that, operating in infinite loop but with specified time intervals, assigns the folder, which contains its executable file, the malicious library and the configuration file, with the “hidden” and “system” attributes. If it fails to assign these attributes, the Trojan starts removing all the TeamViewer keys from the system registry.

HKCU\\Software\\TeamViewer\\Version6\\MachineFallback
HKCU\\Software\\TeamViewer\\Version6
HKCU\\Software\\TeamViewer

The backdoor registers itself in autorun intercepting calls for the hookRegOpenKeyExW function.

Then it installs Vectored Exception Handler and break points (0xcc) at the addresses of 0x5A7A84 and the MessageBoxW function.

To exclude such error codes as 0xC0000005 (STATUS_ACCESS_VIOLATION), 0xC0000374 (STATUS_HEAP_CORRUPTION), and 0x80000004 (STATUS_SINGLE_STEP), the following code is executed:

ContextRecord->SegDs = 35;
ContextRecord->EFlags |= 0x100u;
return EXCEPTION_CONTINUE_EXECUTION;

To exclude 0x80000003 (STATUS_BREAKPOINT), the Trojan first checks the address to which connection was established. If the address is 0x5A7A84, interception of the function call is set to the address that TeamViewer uses to call for WinVerifyTrust (dynamically-obtained import). The interception always returns “1”, which means “the signature is invalid”. Besides, the Trojan checks whether the exclusion address coincides with the MessageBoxW function address. If it does, the backdoor replaces the value of the EIP registry with its LoadEmbLib function and quits the exception handler.

The Trojan’s body contains one more encrypted library responsible for performing malicious activity. It is written in C++ using the boost library. The additional library is decrypted with the RC4 algorithm. The key is obtained from the szpgkey parameter of the configuration file. Then the library is loaded to the memory.

This library contains a specially-generated array that represents names of the server. The names are stored by bytes and are encrypted with the 0x18 byte using XOR.

When trying to connect, the backdoor uses User-Agent:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

The following line is generated:

client_id=%.8x&connected=0&server_port=0&debug=0

where client_id is a serial number of the hard drive that stores the C section, The value is encrypted with the XOR operation using SID.

This line is encrypted with the “heyfg645fdhwi” RC4 key and is then encoded with bintohex. After that, the line is sent to the server as the following request:

http://<cnc>/analytics.php?c=<encoded_data>

The server’s reply is encoded with bintohex and is encrypted with RC4 as well.

The Trojan can execute the following commands received over HTTPS:

  • disconnect—terminate the connection;
  • idle—maintain the connection;
  • updips—update the auth_ip list with the one specified in the command received;
  • connect—connect to the specified host server. The command must consist of the following parameters:
  • ip—host server’s IP address;
  • auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
  • auth_ip—IP authentication;
  • auth_login—login;
  • auth_pass—password.

Other network activity is written using boost::asio::stream_socket_service and is performed via a binary protocol.

The Trojan can execute the following commands received over the binary protocol:

  • Authentication—depending on the auth_swith parameter, the Trojan sends either data on the auth_ip parameter or auth_login and auth_pass.
  • Keep-Alive (0x01)—maintains the connection to the server.
  • Send Data (0x02)—searches for the signature in the Trojan’s body:
    C8 1F 0E 8D 4A 97 06 2A BC B8 3A D0 30 92 2E 59
    and sends the number of bytes specified by the server.
  • Proxy (0x00)—redirects traffic from the C&C server to the remote host server specified by the server.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
  3. If your OS is locked by malware belonging to the Trojan.Winlock family, use our unlocking service. If you failed to find the unlock code, follow the instructions provided in Section 2.
Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for OS X to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Führender russischer Hersteller von Virenschutzsoftware

Entwickelt seit 1992

Dr.Web wird in mehr als 200 Ländern genutzt

Antivirus im SaaS-Modell seit 2007

Technischer Support rund um die Uhr

© Doctor Web
2003 — 2018

Doctor Web ist ein russischer Entwickler von IT-Sicherheitslösungen unter dem Markennamen Dr.Web. Dr.Web Produkte werden seit 1992 entwickelt.

Doctor Web Deutschland GmbH. Platz der Einheit 1. 60327 Frankfurt