- aeed844d2e7e27b8d2994c087c4148286aae3434 (NSIS, a bogus FlashPlayer)
- d911554891f18d58f32c7e68a026e212206d2226 (NSIS, a dropper)
A dropper that is spread under the guise of the Adobe Flash Player update and is designed to covertly install BackDoor.TeamViewer.49 on the computer.
The installation script unpacks flashplayer21_xa_install.exe (a legitimate installer of Adobe Flash Player) and flashplayer_install.exe (the dropper of BackDoor.TeamViewer.49) and saves them on the disc. Then it runs them every 3 seconds and removes the original flashplayer_install.exe file.
The dropper represents a file in the Nullsoft Scriptable Install System (NSIS) format that contains a password-protected 7z archive. Before the dropper is launched, it checks the system for the presence of the following running processes: AvastUI.exe, avastui.exe, sin\5s.exe, 5s.exe, and \Pin\5s.lnk. If it fails to detect one of them, the dropper terminates its operation displaying the error message that looks as follows: "Error! Can't initialize plug-ins directory. Please try again later".
The archive contains the following files that are then unpacked to the %APPDATA%\Sin\ directory:
- 5s.exe—TeamViewer application;
- nv8moxflu—the configuration file.