Follow:

 

Spammer:Win32/Tedroo.I


Spammer:Win32/Tedroo.I is a trojan that is used to send spam, that is usually installed by other malware or when a user visits a compromised Web site. It may allow backdoor access by a remote attacker, and may disable a number of Windows services, including the Windows Firewall and Shared Access.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s: 

Threat behavior

Spammer:Win32/Tedroo.I is a trojan that is used to send spam, that is usually installed by other malware or when a user visits a compromised Web site. It may allow backdoor access by a remote attacker, and may disable a number of Windows services, including the Windows Firewall and Shared Access.
Installation
When run, Spammer:Win32/Tedroo.I attempts to copy itself to the system as '%windir%\services.exe'.
 
It modifies the system registry so that its copy automatically runs whenever Windows starts:
 
Under value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "services"
With data: "%windir%\services.exe"
 
It also creates the following registry entries as part of its installation routine:
 
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\services
Adds value: "del"
 
Under key: HKCU\Software\Microsoft\Internet Explorer\Desktop
Adds value: "host"
With data: "206.51.225.202"
Adds value: "id"
With data: "<digits>"
 
where <digits> is a number of twelve digits, for example, '231119813174'.
Payload
Sends spam e-mail messages
Spammer:Win32/Tedroo.I sends spam e-mail messages from the infected system.
 
Allows backdoor access and control
Spammer:Win32/Tedroo.I attempts to connect to '206.51.225.202' to download other files or wait for instructions from a remote attacker.
 
Modifies system settings
Spammer:Win32/Tedroo.I modifies some of the system's settings, such as the following:
 
  • Disables the Windows Security Center service:
    Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Modifes value: "Start"
    With data:"4"
 
  • Disables the Shared Access service:
    Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    Modifes value: "Start"
    With data:"4"
 
 
Modifies Windows Firewall settings
Using a file it drops, '%windir%\file.bat', Spammer:Win32/Tedroo.I disables the Windows firewall and adds '%windir%\services.exe' to the allowed list of processes that can bypass the Windows Firewall.
 
It disables the Windows firewall by editing the following registry entries:
 
Under value: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Adds value: "EnableFirewall"
With data: "0"
 
Under value: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Adds value: "EnableFirewall"
With data: "0"
 
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallDisableNotify"
With data: "1"
 
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallOverride"
With data: "1"
 
Analysis by Patrik Vicol

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    %windir%\services.exe
  • The presence of the following registry modifications:
    Under value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Adds value: "services"
    With data: "%windir%\services.exe"
  • The following services are disabled or not started:
    wscsvc
    SharedAccess
    Windows Firewall

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 22, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Email-Worm.Win32.Joleee.mt (Kaspersky)
  • Mal/WaledPak-A (Sophos)
  • I-Worm.Joleee.OJ (VirusBuster)
  • Win32/TrojanProxy.Small.NCA (ESET)
  • Spam-Mailbot.m (McAfee)
  • W32/Joleee.M.worm (Panda)