My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB.

The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see

The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the infected machine.

TeamViewer's Digital Certificate

 It was used in an incident related to the theft of money by way of an unauthorized accounting transaction affecting a major Russian company. The dropper installs a backdoor in %WINDIR% and runs as server in console mode. One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel.

The Bot's Network Activity

While there's no indication that this is in any way connected with the support scams I've blogged about so often here (which tend to make use of another utility), it's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes.

Shutdown Command Code

 Its command set includes instructions to start a command shell to make use of the compromised machine, to toggle monitoring, to exit Windows and/or power down, and to remove all traces of the bot. 


Author David Harley, ESET

  • Steffen

    Interesting article. Do you then recommend not to use remote control software on the computer?
    I’m using Teamviewer 6 now on all computers in LAN at home and use Teamviewer a lot to help friends who have computer problems. Or is only Teamviewer version 5 effected by this virus?

    • David Harley

      Remote access software is very useful in the right context. The trick is to be aware when it’s being misused. Unfortunately, that can be quite a difficult trick…

  • Randy Abrams

    Teamviewer is not affected by the threat, it is used by the threat. Rather than write their own remote control software they simply used Teamviwer to allow remote control.

  • Steffen

    Thanks for your answer.
    I can imagine, if more and more people are using easy to use remote desktop software, then the cybercriminals are of course also trying to missuse those applications for there business.

Follow us

Copyright © 2017 ESET, All Rights Reserved.