Home / malware

PDF

Spammer:Win32/Tedroo.A

First posted on 09 June 2019.
Source: Microsoft

Aliases :

Spammer:Win32/Tedroo.A is also known as Grum, Trojan.Win32.Buzus.cqit, Win32/Injector.AJF, Infostealer.Banker.C, TROJ_BUZUS.BKM.

Explanation :

Spammer:Win32/Tedroo.A is a trojan that sends spam e-mail messages. It retrieves configuration data from a remote server and sends spam to retrieved e-mail addresses using SMTP servers.InstallationSpammer:Win32/Tedroo.A modifies the following registry entries in order to store its data: Adds value: "ii" With data: "1" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionBITS  Adds value: "host" With data: "", ( is the IP address of the remote control server, one example observed being contacted in the wild for this purpose was IP 93.174.95.145 which hosts the domain sec3.helohmar.com) To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionBITS   Adds value: "id" With data: "" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionBITSPayload Sends spam Spammer:Win32/Tedroo.A tries to connect to a remote server to report the infection and to retrieve information that is used to send spam e-mail. In the wild, we observed one instance of Spammer:Win32/Tedroo.A contacting sec3.helohmar.com for this purpose. The retrieved information is saved to <%TEMP%>.tmp temporarily.  Spammer:Win32/Tedroo.A sends spam messages to retrieved e-mail addresses using configuration data it receives from the remote server. In order to send this spam, Spammer:Win32/Tedroo.A has been observed using the following SMTP servers:  mx1.hotmail.com mx2.hotmail.com mx3.hotmail.com mx4.hotmail.com a.mx.mail.yahoo.com b.mx.mail.yahoo.com c.mx.mail.yahoo.com d.mx.mail.yahoo.com e.mx.mail.yahoo.com f.mx.mail.yahoo.com mailin-01.mx.aol.com mailin-02.mx.aol.com mailin-03.mx.aol.com mailin-04.mx.aol.com google.com.s9a2.psmtp.com google.com.s9b1.psmtp.com google.com.s9b2.psmtp.com   Analysis by Shawn Wang

Last update 09 June 2019

 

TOP