Follow:

 

Spammer:Win32/Tedroo.A


Spammer:Win32/Tedroo.A is a trojan that sends spam e-mail messages. It retrieves configuration data from a remote server and sends spam to retrieved e-mail addresses using SMTP servers.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Spammer:Win32/Tedroo.A is a trojan that sends spam e-mail messages. It retrieves configuration data from a remote server and sends spam to retrieved e-mail addresses using SMTP servers.
Installation
Spammer:Win32/Tedroo.A modifies the following registry entries in order to store its data:
Adds value: "ii"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
 
Adds value: "host"
With data: "<IP address>", (<IP address> is the IP address of the remote control server, one example observed being contacted in the wild for this purpose was IP 93.174.95.145 which hosts the domain sec3.helohmar.com)
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
 
Adds value: "id"
With data: "<digits>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Payload
Sends spam
Spammer:Win32/Tedroo.A tries to connect to a remote server to report the infection and to retrieve information that is used to send spam e-mail. In the wild, we observed one instance of Spammer:Win32/Tedroo.A contacting sec3.helohmar.com for this purpose. The retrieved information is saved to <%TEMP%>\<random number>.tmp temporarily.
 
Spammer:Win32/Tedroo.A sends spam messages to retrieved e-mail addresses using configuration data it receives from the remote server. In order to send this spam, Spammer:Win32/Tedroo.A has been observed using the following SMTP servers:
 
mx1.hotmail.com
mx2.hotmail.com
mx3.hotmail.com
mx4.hotmail.com
a.mx.mail.yahoo.com
b.mx.mail.yahoo.com
c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
e.mx.mail.yahoo.com
f.mx.mail.yahoo.com
mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
google.com.s9a2.psmtp.com
google.com.s9b1.psmtp.com
google.com.s9b2.psmtp.com
 
Analysis by Shawn Wang

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
  • Added value: "ii"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
     
    Added value: "host"
    With data: "<IP address>", (<IP address> is the IP address of the remote control server, one example observed being contacted in the wild for this purpose was IP 93.174.95.145 which hosts the domain sec3.helohmar.com)
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
     
    Added value: "id"
    With data: "<digits>"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 17, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Buzus.cqit (Kaspersky)
  • Win32/Injector.AJF (ESET)
  • Infostealer.Banker.C (Symantec)
  • TROJ_BUZUS.BKM (Trend Micro)
  • Grum (other)