June 20, 2011

Doctor Web draws users' attention to the emergence of BackDoor.Termuser malware that perform backdoor tasks in an infected system and grant attackers access to the computer.

Presumably, this backdoor can be installed into the system by another malware or downloaded while browsing infected web sites. Immediately after loading into the memory BackDoor.Termuser copies itself under a random name into the Windows system folder or to a temporary location if the attempt to write to the system directory fails. After that the malicious program registers and starts the Network Adapter Events service and tries to stop and remove the services of the installed anti-virus.

Immediately after its installation BackDoor.Termuser collects information on the infected computer (including the operating system version, IP address, the user login) and sends it to a remote server, then downloads an archive containing the BeTwinServiceXP (remote desktop RDP) program, decompresses it, installs the application and sends a report about the successful completion of this operation to the intruder. After that the malicious program creates a new user account in the system with the name TermUser and adds it into the Administrators group. Finally, BackDoor.Termuser copies Trojan.PWS.Termuser into a temporary directory and launches it. This Trojan horse displays the standard Windows login screen and block its closure until the user enters their username and password, which are automatically written into the registry in encrypted form.

Once loaded in the operating system, BackDoor.Termuser doesn’t allow the user to run anti-virus software, receives instructions from a remote command center and may transfer control over the computer to intruders. In order to prevent infection by this malicious software users are encouraged to regularly install security updates for Windows, and checks your computers with Dr.Web anti-virus.