Follow:

 

Spammer:Win32/Tedroo.AB


Microsoft security software detects and removes this threat.
 
This trojan sends spam email messages from your PC. It can also give a malicious hacker access and control of your PC, change your security settings, and disable the Windows Firewall.
 


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Upon infection, Spammer:Win32/Tedroo.AB attempts to drop a copy of itself with the name userini.exe under the alternate data stream of explorer.exe. It can also drop another copy of itself as userini.exe in the Windows system folder.

It creates the following registry entries as a means of startup. The entry created depends on the created copy of the malware mentioned above:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "userini"
With data: "%windir%\explorer.exe:userini.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userini"
With data: "%windir%\explorer.exe:userini.exe" 

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "userini"
With data: "%windir%\explorer.exe:userini.exe" 

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userini"
With data: "%windir%\explorer.exe:userini.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "userini"
With data: "<system folder>\userini.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userini"
With data: "<system folder>\userini.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "userini"
With data: "<system folder>\userini.exe" 

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userini"
With data: "<system folder>\userini.exe"

It also creates the following registry entries as part of its installation routine:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "remove"
Sets value: "id"
With data: "<numerical value>" for example, "15650534"

Payload

Sends spammed e-mail messages

Spammer:Win32/Tedroo.AB can send spammed e-mail messages from the infected system using its own SMTP engine. It uses HTTP GET to connect to the IP address 91.207.4.250 to download predefined spam messages from a remote site using this query as an example:

  • /spm/page.php?id=15650534&tick=18481424&ver=121&smtp=ok&task=0

Allows backdoor access and control

Spammer:Win32/Tedroo.AB can give a remote attacker control of your PC.

Modifies system settings

The trojan modifies some of the system's policies, such as the following:

Disables the Windows Security Center service:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Modifies value: "Start"
With data:"4"

Disables the Shared Access service:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Modifies value: "Start"
With data:"4"

Modifies Windows Firewall settings

Spammer:Win32/Tedroo.AB can disable the Windows firewall and allow the malware file to bypass the Windows Firewall.

It disables the Windows firewall by editing the following registry entries:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Set value: "EnableFirewall"
With data: "0"

In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Set value: "EnableFirewall"
With data: "0" 

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Set value: "FirewallDisableNotify"
With data: "1" 

Downloads other malware

Spammer:Win32/Tedroo.AB is known to download and run Ransom:Win32/Critroni.A.

Analysis by Marianne Mallen


Symptoms

The following could indicate that you have this threat on your PC:

The following system changes may indicate the presence of this malware:

    • The presence of the following files:

      <system folder>\userini.exe
       
    • The presence of the following registry modifications:
       

      In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      Sets value: "userini"
      With data: "%windir%\explorer.exe:userini.exe"

      In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "userini"
      With data: "%windir%\explorer.exe:userini.exe" 

      In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      Sets value: "userini"
      With data: "%windir%\explorer.exe:userini.exe" 

      In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "userini"
      With data: "%windir%\explorer.exe:userini.exe"

      In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      Sets value: "userini"
      With data: "<system folder>\userini.exe"

      In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "userini"
      With data: "<system folder>\userini.exe"

      In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      Sets value: "userini"
      With data: "<system folder>\userini.exe" 

      In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "userini"
      With data: "<system folder>\userini.exe"

 


Prevention


Alert level: Severe
First detected by definition: 1.67.543.0
Latest detected by definition: 1.185.3174.0 and higher
First detected on: Oct 08, 2009
This entry was first published on: Jun 28, 2010
This entry was updated on: Jul 21, 2014

This threat is also detected as:
  • W32/Jolee.R (Command)
  • Email-Worm.Win32.Joleee.efa (Kaspersky)
  • W32/Joleee.BN (Norman)
  • I-Worm.Joleee.BXS (VirusBuster)
  • TR/Joleee.22016 (Avira)
  • Win32/Tedroo.CH (CA)
  • Win32/SpamTool.Tedroo.AB (ESET)
  • Email-Worm.Win32.Joleee (Ikarus)
  • W32/Joleee.U.worm (Panda)
  • Trojan.Win32.Spammer.aet (Rising AV)
  • Hacktool.Spammer (Symantec)
  • WORM_KOLAB.EH (Trend Micro)