Home / malwarePDF  

Spammer:Win32/Tedroo.gen!B


First posted on 12 January 2010.
Source: SecurityHome

Aliases :

Spammer:Win32/Tedroo.gen!B is also known as Email-Worm.Win32.Joleee.eja (Kaspersky), W32/Harnig.NAB (Norman), TROJ_BREDLAB.SME (Trend Micro).

Explanation :

Spammer:Win32/Tedroo.gen!B is a trojan that sends spam email. It retrieves commands and configuration data from a remote server.
Top

Spammer:Win32/Tedroo.gen!B is a trojan that sends spam email. It retrieves commands and configuration data from a remote server.

Installation
Spammer:Win32/Tedroo.gen!B modifies the following registry entries in order to store its data: Adds value: "id" With data: "<hexadecimal number>" (e.g. "6d27b2d4bfb2") To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Adds value: "remove" With data: "<file to be removed>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerNote: Presumably the <file to be removed> is specified by a remote attacker. See the Payload section below for additional detail. Spammer:Win32/Tedroo.gen!B copies itself to %windir%\explorer.exe:userini.exe as NTFS Alternate Data Streams. If this fails it instead copies itself to %system root%\userini.exe. Spammer:Win32/Tedroo.gen!B modifies the following registry entries to execute its copy at each Windows start: Adds value: "explorer" With data: "<malware file>" (e.g. "%system root%\userini.exe") To subkeys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Payload
Sends spam email/Receives remote instructionSpammer:Win32/Tedroo.gen!B tries to connect to a remote server in order to report the new infection and to retrieve commands. In the wild Spammer:Win32/Tedroo.gen!B was observed contacting the following IP addresses for this purpose:

  • 91.207.6.34
  • 91.207.7.106.
    • Spammer:Win32/Tedroo.gen!B may perform the following actions depending on commands retrieved from the remote host:
  • Send spam email with details that are retrieved from a remote server. Spammer:Win32/Tedroo.gen!B was observed using the following SMTP servers when sending spam:
    mx1.hotmail.com
    mx2.hotmail.com
    mx3.hotmail.com
    mx4.hotmail.com
    a.mx.mail.yahoo.com
    b.mx.mail.yahoo.com
    c.mx.mail.yahoo.com
    d.mx.mail.yahoo.com
    e.mx.mail.yahoo.com
    f.mx.mail.yahoo.com
    mailin-01.mx.aol.com
    mailin-02.mx.aol.com
    mailin-03.mx.aol.com
    mailin-04.mx.aol.com
    google.com.s9a2.psmtp.com
    google.com.s9b1.psmtp.com
    google.com.s9b2.psmtp.com
    mtain-mmc.gmtain-mmc.mx.aol.com
  • Update itself
  • C onnect to a specific website and act as an ad-clicker
  • Download and execute arbitrary files from a remote server
  • Start DoS (Denial of Service) attack.


    • Analysis by Shawn Wang

    Last update 12 January 2010

     

    TOP

    Malware :

    Family: