1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Teambot Activity

System Infected: Backdoor.Teambot Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Teambot communicating and requesting information from its controlling server.

Additional Information

When executed, the threat creates the following files:
%UserProfile%\Application Data\TeamViewer\TeamViewer4_Logfile.log
%Windir%\TV.dll
%Windir%\log\DSC456.jpg
%Windir%\log\PIC071.exe
%Windir%\log\START.JS
%Windir%\svchost.exe
%Windir%\ts.dll

Next, the threat creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"sv?host" = "%Windir%\svchost.exe"
HKEY_CURRENT_USER\Software\WinRAR SFX\"C%%WINDOWS" = "%SystemDrive%\WINDOWS"
HKEY_CURRENT_USER\Software\WinRAR SFX\"C%%WINDOWS%log" = "%Windir%\log"



The threat uses modified code of Team Viewer (which is a legitimate application), which provide a remote connection to the the server. The servers also have Team Viewer running on their machine to complete the connection. This which gives them the ability to execute various commands on the infected host for eg:

Force a reboot
Download malicious files
Create and delete files and folders

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube