Home / malwarePDF  

Spammer:Win32/Tedroo.A


First posted on 04 January 2010.
Source: SecurityHome

Aliases :

Spammer:Win32/Tedroo.A is also known as Trojan.Win32.Buzus.cqit (Kaspersky), Win32/Injector.AJF (ESET), Infostealer.Banker.C (Symantec), TROJ_BUZUS.BKM (Trend Micro).

Explanation :

Spammer:Win32/Tedroo.A is a trojan that sends spam e-mail messages. It retrieves configuration data from a remote server and sends spam to retrieved e-mail addresses using SMTP servers.
Top

Spammer:Win32/Tedroo.A is a trojan that sends spam e-mail messages. It retrieves configuration data from a remote server and sends spam to retrieved e-mail addresses using SMTP servers.

Installation
Spammer:Win32/Tedroo.A modifies the following registry entries in order to store its data: Adds value: "ii" With data: "1" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS Adds value: "host" With data: "<IP address>", (<IP address> is the IP address of the remote control server, one example observed being contacted in the wild for this purpose was IP 93.174.95.145 which hosts the domain sec3.helohmar.com) To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS Adds value: "id" With data: "<digits>" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS

Payload
Sends spam Spammer:Win32/Tedroo.A tries to connect to a remote server to report the infection and to retrieve information that is used to send spam e-mail. In the wild, we observed one instance of Spammer:Win32/Tedroo.A contacting sec3.helohmar.com for this purpose. The retrieved information is saved to <%TEMP%>\<random number>.tmp temporarily. Spammer:Win32/Tedroo.A sends spam messages to retrieved e-mail addresses using configuration data it receives from the remote server. In order to send this spam, Spammer:Win32/Tedroo.A has been observed using the following SMTP servers: mx1.hotmail.com mx2.hotmail.com mx3.hotmail.com mx4.hotmail.com a.mx.mail.yahoo.com b.mx.mail.yahoo.com c.mx.mail.yahoo.com d.mx.mail.yahoo.com e.mx.mail.yahoo.com f.mx.mail.yahoo.com mailin-01.mx.aol.com mailin-02.mx.aol.com mailin-03.mx.aol.com mailin-04.mx.aol.com google.com.s9a2.psmtp.com google.com.s9b1.psmtp.com google.com.s9b2.psmtp.com

Analysis by Shawn Wang

Last update 04 January 2010

 

TOP

Malware :

Family: