June 20, 2011
Presumably, this backdoor can be installed into the system by another malware or downloaded while browsing infected web sites. Immediately after loading into the memory BackDoor.Termuser copies itself under a random name into the Windows system folder or to a temporary location if the attempt to write to the system directory fails. After that the malicious program registers and starts the Network Adapter Events service and tries to stop and remove the services of the installed anti-virus.
Immediately after its installation BackDoor.Termuser collects information on the infected computer (including the operating system version, IP address, the user login) and sends it to a remote server, then downloads an archive containing the BeTwinServiceXP (remote desktop RDP) program, decompresses it, installs the application and sends a report about the successful completion of this operation to the intruder. After that the malicious program creates a new user account in the system with the name TermUser and adds it into the Administrators group. Finally, BackDoor.Termuser copies Trojan.PWS.Termuser into a temporary directory and launches it. This Trojan horse displays the standard Windows login screen and block its closure until the user enters their username and password, which are automatically written into the registry in encrypted form.
Once loaded in the operating system, BackDoor.Termuser doesn’t allow the user to run anti-virus software, receives instructions from a remote command center and may transfer control over the computer to intruders. In order to prevent infection by this malicious software users are encouraged to regularly install security updates for Windows, and checks your computers with Dr.Web anti-virus.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.