Spammer:Win32/Tedroo.I is a trojan that is used to send spam, that is usually installed by other malware or when a user visits a compromised Web site. It may allow backdoor access by a remote attacker, and may disable a number of Windows services, including the Windows Firewall and Shared Access.
System changes
The following system changes may indicate the presence of this malware:
-
The presence of the following file:
%windir%\services.exe
-
The presence of the following registry modifications:
Under value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "services"
With data: "%windir%\services.exe"
-
The following services are disabled or not started:
wscsvc
SharedAccess
Windows Firewall
Spammer:Win32/Tedroo.I is a trojan that is used to send spam, that is usually installed by other malware or when a user visits a compromised Web site. It may allow backdoor access by a remote attacker, and may disable a number of Windows services, including the Windows Firewall and Shared Access.
Installation
When run, Spammer:Win32/Tedroo.I attempts to copy itself to the system as '%windir%\services.exe'.
It modifies the system registry so that its copy automatically runs whenever Windows starts:
Under value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "services"
With data: "%windir%\services.exe"
It also creates the following registry entries as part of its installation routine:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\services
Adds value: "del"
Under key: HKCU\Software\Microsoft\Internet Explorer\Desktop
Adds value: "host"
With data: "206.51.225.202"
Adds value: "id"
With data: "<digits>"
where <digits> is a number of twelve digits, for example, '231119813174'.
Payload
Sends spam e-mail messages
Spammer:Win32/Tedroo.I sends spam e-mail messages from the infected system.
Allows backdoor access and control
Spammer:Win32/Tedroo.I attempts to connect to '206.51.225.202' to download other files or wait for instructions from a remote attacker.
Modifies system settings
Spammer:Win32/Tedroo.I modifies some of the system's settings, such as the following:
- Disables the Windows Security Center service:
Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Modifes value: "Start"
With data:"4"
- Disables the Shared Access service:
Under subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Modifes value: "Start"
With data:"4"
Modifies Windows Firewall settings
Using a file it drops, '%windir%\file.bat', Spammer:Win32/Tedroo.I disables the Windows firewall and adds '%windir%\services.exe' to the allowed list of processes that can bypass the Windows Firewall.
It disables the Windows firewall by editing the following registry entries:
Under value: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Adds value: "EnableFirewall"
With data: "0"
Under value: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Adds value: "EnableFirewall"
With data: "0"
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallDisableNotify"
With data: "1"
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallOverride"
With data: "1"
Analysis by Patrik Vicol
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s:
