BackDoor.TeamViewer.49 is the name of a backdoor trojan discovered by Russian security vendor Dr.Web, who claims the trojan will install the TeamViewer application on infected computers, so it can relay Web traffic from the crook to other servers on the Internet, effectively using the host as a proxy server.
Dr.Web security researchers, together with security experts from Yandex, first discovered the trojan at the start of May, distributed via a complex multi-stage mechanism.
Initial infection occurs via a tainted Adobe Flash update package
Users don’t get infected with BackDoor.TeamViewer directly, but first through a malware dropper called Trojan.MulDrop6.39120, which Dr.Web says it’s distributed online together with an Adobe Flash Player update package.
When users install this malicious Flash Player update, they get a legitimate Flash version, but also the Trojan.MulDrop6 trojan, which secretly installs TeamViewer on the victim’s computer.
Dropping TeamViewer on infected devices is not something new, but the crooks don’t use it to log into the victim’s PC and take control over the device. Dr.Web claims that TeamViewer is used for something else.
Crooks don’t steal anything from infected devices
Crooks replaced TeamViewer’s avicap32.dll file with a malicious version which contains thetrojan. Since TeamViewer automatically runs avicap32.dll in the OS memory, crooks only need to add auto-run functions to TeamViewer and make sure the app’s icon is hidden from the Windows notification area.
After crooks make all the necessary modifications and TeamViewer is running, BackDoor.TeamViewer connects via an encrypted channel to the crooks command and control server, where it waits for instructions.
Dr.Web says that the in the versions it analyzed, the trojan’s main function was to operate as a Web proxy, taking traffic it receives from the C&C server, and relaying it to the Internet, effectively masking the crooks’ real IP.
“While we will have to look closer into this matter, the real issue is the installation of a malware program. Once a system is infected, perpetrators can virtually do anything with that particular system – depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth,” a TeamViewer spokesperson told Softpedia. “So first and foremost, it is important that users protect their systems best they can by having proper anti-malware in place.”