Sheldor-Shocked

Sheldor-Shocked

My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB. The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1294926672. The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the

My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB. The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1294926672. The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the

My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB.

The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1294926672.

The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the infected machine.

TeamViewer's Digital Certificate

 It was used in an incident related to the theft of money by way of an unauthorized accounting transaction affecting a major Russian company. The dropper installs a backdoor in %WINDIR% and runs as server in console mode. One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel.

The Bot's Network Activity

While there's no indication that this is in any way connected with the support scams I've blogged about so often here (which tend to make use of another utility), it's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes.

Shutdown Command Code

 Its command set includes instructions to start a command shell to make use of the compromised machine, to toggle monitoring, to exit Windows and/or power down, and to remove all traces of the bot. 

David Harley CITP FBCS CISSP

Discussion