SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spammer.Tedroo

LOW
LOW
around 42KB
()

Symptoms

The presence of %windir%\services.exe which is set to run at startup using HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "services".

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Alexandru Maximciuc, virus researcher

Technical Description:

It's a spammer trojan. It usually spreads via links enclosed in spam mails. Lately, the file comes protected with an encrypter I would rather refer to as GLErrCrypt - its name comes from the use of GetLastError API combined with one of DestroyCursor/DestroyMenu/SetCursor/... APIs in order to trick emulators. We consider that GLErrCrypt is not Tedroo's own encrypter because we have seen it used in lots of other families of malware.


When run, the file copies itself as %windir%\services.exe and sets it as an allowed program in the Windows firewall. The firewall work is carried out using a temporary batch file ("%windir%\file.bat"), which sets the malware to allowed programs and then deletes itself. Also, the executable file sets HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify to value 1.

Tedroo uses HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop registry key to store its configuration data:
host - the server which should be contacted for tasks
id - the computer id (it uses this in requests to server; it should be they have some statistics there)

When run, Tedroo notifies the server about its existence with a query like:
http://host/spm/s_alive.php?id=<ID>&tick=<TICK>&ver=<VERSION>&smtp=<SMTP>
where ID is the computer's ID, TICK is the number of milliseconds that have elapsed since the system was started, VERSION is Tedroo's binary version and SMTP is an "ok" or "bad" string, telling the server whether the infected computer can access the mailservers on port 25 (also known as SMTP).
In response to that, the server sends an encrypted string to the malware (encrypted using the ID parameter passed) which decrypts to:
SPM_NET=http://host/spm/s_tasks.php?id=ID&ver=;
which is subsequently used by the malware to get the tasks it should obey to.
Fetching the s_tasks.php page, the malware gets an xml configuration file with several elements:

taskid=
realip=
hostname=
maxthread=
from=


    email1@host1.tld1
    email2@host2.tld2
        ..
    emailN@hostN.tldN


    here goes the body of the mail to be sent


The sent emails are usually encoded using the HTML format and the tasks for Tedroo are templates which should be filled in by the bot. Most of the sent mails (in the last few days) are spam messages which try to infect the user who clicks on the embedded link with the Exchanger Trojan,  but some of them just try to infect the user with a Tedroo variant.

The subjects used with a high frequency lately:
Angelina Jolie Free Video.
Internet Explorer 7

An email example:




Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources