Home / malwarePDF  

Trojan.Spammer.Tedroo


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Spammer.Tedroo.

Explanation :

It's a spammer trojan. It usually spreads via links enclosed in spam mails. Lately, the file comes protected with an encrypter I would rather refer to as GLErrCrypt - its name comes from the use of GetLastError API combined with one of DestroyCursor/DestroyMenu/SetCursor/... APIs in order to trick emulators. We consider that GLErrCrypt is not Tedroo's own encrypter because we have seen it used in lots of other families of malware.


When run, the file copies itself as %windir%services.exe and sets it as an allowed program in the Windows firewall. The firewall work is carried out using a temporary batch file ("%windir%file.bat"), which sets the malware to allowed programs and then deletes itself. Also, the executable file sets HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify to value 1.

Tedroo uses HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDesktop registry key to store its configuration data:
host - the server which should be contacted for tasks
id - the computer id (it uses this in requests to server; it should be they have some statistics there)

When run, Tedroo notifies the server about its existence with a query like:
http://host/spm/s_alive.php?id=<ID>&tick=<TICK>&ver=<VERSION>&smtp=<SMTP>
where ID is the computer's ID, TICK is the number of milliseconds that have elapsed since the system was started, VERSION is Tedroo's binary version and SMTP is an "ok" or "bad" string, telling the server whether the infected computer can access the mailservers on port 25 (also known as SMTP).
In response to that, the server sends an encrypted string to the malware (encrypted using the ID parameter passed) which decrypts to:
SPM_NET=http://host/spm/s_tasks.php?id=ID&ver=;
which is subsequently used by the malware to get the tasks it should obey to.
Fetching the s_tasks.php page, the malware gets an xml configuration file with several elements:

taskid=
realip=
hostname=
maxthread=
from=


email1@host1.tld1
email2@host2.tld2
..
emailN@hostN.tldN


here goes the body of the mail to be sent


The sent emails are usually encoded using the HTML format and the tasks for Tedroo are templates which should be filled in by the bot. Most of the sent mails (in the last few days) are spam messages which try to infect the user who clicks on the embedded link with the Exchanger Trojan, but some of them just try to infect the user with a Tedroo variant.

The subjects used with a high frequency lately:
Angelina Jolie Free Video.
Internet Explorer 7

An email example:

Last update 21 November 2011

 

TOP