Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

BackDoor.Termuser provides unauthorized access to infected computers

June 20, 2011

Doctor Web draws users' attention to the emergence of BackDoor.Termuser malware that perform backdoor tasks in an infected system and grant attackers access to the computer.

Presumably, this backdoor can be installed into the system by another malware or downloaded while browsing infected web sites. Immediately after loading into the memory BackDoor.Termuser copies itself under a random name into the Windows system folder or to a temporary location if the attempt to write to the system directory fails. After that the malicious program registers and starts the Network Adapter Events service and tries to stop and remove the services of the installed anti-virus.

image

Immediately after its installation BackDoor.Termuser collects information on the infected computer (including the operating system version, IP address, the user login) and sends it to a remote server, then downloads an archive containing the BeTwinServiceXP (remote desktop RDP) program, decompresses it, installs the application and sends a report about the successful completion of this operation to the intruder. After that the malicious program creates a new user account in the system with the name TermUser and adds it into the Administrators group. Finally, BackDoor.Termuser copies Trojan.PWS.Termuser into a temporary directory and launches it. This Trojan horse displays the standard Windows login screen and block its closure until the user enters their username and password, which are automatically written into the registry in encrypted form.

Once loaded in the operating system, BackDoor.Termuser doesn’t allow the user to run anti-virus software, receives instructions from a remote command center and may transfer control over the computer to intruders. In order to prevent infection by this malicious software users are encouraged to regularly install security updates for Windows, and checks your computers with Dr.Web anti-virus.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124