There have been some trojans that install malicious versions of the TeamViewer software circulating since 2011. Dr. Web has posted a new iteration of this tojan, calling it BackDoor.TeamViewerENT.1. All iterations of this trojan have been distributed under the name Spy-Agent. The Trojan is used to install additional malware such as keyloggers and form grabbers on the targets’ computer.
What Makes This Malware Special?
This trojan installs and uses the legitimate TeamViewer app and components to spy on its victims. According to Dr. Web:
The Trojan’s main payload is placed into the avicap32.dll library, and its operation parameters are stored in an encrypted configuration block. BackDoor.TeamViewerENT.1 also saves the files and folders necessary for TeamViewer to operate, together with some additional files.
If a Windows program needs a dynamic library to be loaded in order to operate, the system starts searching for the file with that name in the same folder from which the program was run, and only then in the Windows system directory. Virus makers decided to take advantage of this Windows feature: TeamViewer needs a standard avicap32.dll library, which is stored in one of the default system catalogs. However, the Trojan stores a malicious library with that same name right in the folder with the original TeamViewer executable file, and, as a result, Windows loads the malicious library, rather than the legitimate one, into the memory.
The malware tries to hide its existence and actions from users by terminating the TeamViewer process if it detects that the Task Manager or Process Explorer has been started, and by disabling error messaging for the TeamViewer process.
The trojan is mainly used to download and install additional info-stealing malware, but it uses TeamViewer to spy on users via the computer’s microphone and the camera.
If a component of TeamViewer is accidentally deleted by the user or someone else, the backdoor is capable of checking which part is missing and to download it from its C&C server.