SHA1:
- 001c13d05841d2a82229a35fe58235743f1564fe (dropper)
- 0660cadef21d2061e776e4bcaa6aa4fb48a778be (avicap32.dll)
A backdoor Trojan for Microsoft Windows that is distributed under the name Spy-Agent. It uses the TeamViewer remote control utility components to spy on users. The Trojan has three encrypted blocks of executable code, The blocks are decrypted one by one. The first block is encrypted with BASE64 and XOR, and the others—with BASE64 and RC4.
The Trojan’s payload is placed into the avicap32.dll library. Once launched, the Trojan disables error messaging for the TeamViewer process. When the configuration is read, it is encrypted with a local key and saved to the previous location. The Trojan intercepts function calls in TeamViewer address area and appends all files in its folder with the attributes “system”, “hidden”, and “read only”.
The Trojan has a list of TeamViewer file checksums and regularly checks them with the help of the API MapFileAndCheckSumA function. If certain files or components are missing for normal operation of TeamViewer, the Trojan downloads them from its command and control (C&C) server. To ensure its autorun, the Trojan modifies particular branches of the Windows system registry, selecting branches from HKCU or HKLM. It depends on whether the Trojan has administrative privileges or not.
The Trojan also removes the tvicap32.dll file. Then it launches a separate thread that kills TeamViewer processes if it detects that TASKMGR.EXE or PROCEXP.EXE are running.
The backdoor uses additional plug-ins, which have .pg extension and are stored in the same folder as the Trojan. To launch them, the backdoor bypasses its folder when searching for .pg files. If it detects files with this extension, it launches several threads (depending on the number of detected files), which decrypt these files using RC4 and load them to the memory.
To send a message about the status, the Trojan determines the cursor location and, after some time specified in the configuration, it sends the following request to the command and control server:
http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&sidl=<cur_time>
Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format.
Further requests are sent only if the cursor location is changed or if one of the following keys is pressed: VK_RETURN, VK_SPACE, VK_SHIFT. The Trojan then executes the following request:
http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&eidl=<cur_time>?cidl=<uptime>
Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format,
To get instructions from the server, the Trojan waits for a particular number of seconds and then sends the following request to the server:
http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cidl=<uptime>
Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <uptime> is a time of the Trojan’s operation in idle mode in seconds (since the last request was sent to the server).
The Trojan checks the server’s reply for the presence of the “!” character that means the beginning of the command. Then it breaks the line by line arrays that have ‘;’and ‘\r’ separators. The first line in an array is a command.
Once the commands are executed, the following request is sent to the server:
http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cmd=&device=2
The Trojan can execute the following commands:
| Command | Description |
|---|---|
| shutdown | Restart the computer |
| poweroff | Turn off the computer |
| delproc | Remove TeamViewer |
| restart | Relaunch TeamViewer |
| startaudio | Start listening through the microphone |
| stopaudio | Stop listening through the microphone |
| startvideo | Start viewing via the web camera |
| stopvideo | Stop viewing via the web camera |
| lexec | Download a file, save it to a temporary folder (%TEMP%) and run it |
| updef | Update a configuration file and the backdoor’s executable file |
| vid | Identify the web camera |
| cmd | Connect to the specified address, run cmd.exe and execute input/output redirection to a remote server |
| delpg | Remove plug-in from disk |
| uppg | Download/update plug-in |
| upcfgpg | Replace configuration file with one specified in the command |
| oftvdel | Rename avicap32.dll to tvicap32.dll |
| noexit | Set parameter value to 1 |
| cfgaudio | Set value for corresponding configuration parameter |
| cfgvideo | |
| cfgnomedia | |
| cfghostfile | |
| cfgwin7kill | |
| cfgxpkill | |
| cfgpgkey | |
| fakedel | |
| cfgpassteam | |
| cfg | |
| cfgnoexit | |
| Cfggenid |