Backdoors normally implement remote control tool TeamViewer in order to get unauthorised access to an infected computer. However, a newly-discovered Trojan, BackDoor.TeamViewer.49, uses the tool for less obvious reasons.
Doctor Web specialists detected the new Trojan being covertly installed on computers by another malicious application called Trojan.MulDrop6.39210, a fake update of Adobe Flash Player.
The executable file installs the player on Windows, saves it on the disk without the user's knowledge, runs them every three seconds and removes the original Flash Player file. During installation, a legitimate installer window of Flash Player is displayed on the screen.
BackDoor.TeamViewer.49 uses different internal functions of the program's process. Once TeamViewer is launched, the Trojan removes its icon from the Windows notification area and disables error reporting and implements a special mechanism meant to prevent it from being restarted on an infected computer.
“BackDoor.TeamViewer.49 registers itself in autorun and then, operating in infinite loop but with specified time intervals, assigns the folder, which contains its executable file, the malicious library and the configuration file, with the “hidden” and “system” attributes. If it fails to assign these attributes, the Trojan starts removing all the TeamViewer keys from the system registry,” said Doctor Web researchers.
Another encrypted library is also hard-coded in the body of the Trojan and responsible for performing malicious activity such as establishing connection and authorisation to the server and redirecting traffic from the server to the specific remote server through the infected computer, allowing cyber-criminals to remain anonymous on the internet.
Doctor Web anti-virus detects and removes the malicious applications.