- Jan 24, 2011
- 9,378
A new trojan called BackDoor.TeamViewerENT.1 is using parts of the legitimate TeamViewer application to allow crooks to spy on infected systems.
The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy.
That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers.
In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features.
Trojan includes many self-defense mechanisms
The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge.
Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENTtrojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder.
The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence.
Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list.
Read more: Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US
The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy.
That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers.
In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features.
Trojan includes many self-defense mechanisms
The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge.
Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENTtrojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder.
The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence.
Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list.
Read more: Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US
