Tedroo Spam Trojan (Mar 11, 2011)

By

SonicWALL UTM Research discovered a newer variant of Tedroo trojan spreading in the wild. This variant of the Tedroo trojan was in turn found to be spamming the newer variant of Spyeye trojan. When the Tedroo trojan is downloaded and executed it performs the following activities:

  • It creates the following files:
    • %temp%DATF2.tmp.exe (Copy of Itself) [Detected as GAV: Tedroo.AQ (Trojan)]
    • %windir%system32driversstr.sys (encrypted data file)

  • It creates the following registry entry to ensure that the dropped malware runs as a service on every system reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceshxwclmobypwlr: “%temp%DATF2.tmp.exe”
  • It makes the following HTTP requests to a remote IP address:
    • POST /548/getcfg.php – This request returns a configuration file which is encrypted
    • GET /spm/s_get_host.php?ver=548 – This request retuns the public IP address of the infected host
    • GET /spm/s_alive.php?id={removed}&tick=1691546&ver=548&smtp=ok&sl=1&fw=0&pn=0&psr=0
      It reports back information regarding the infected machine with various parameters. Some of the parameters used are:
      • id: random id for infected machine
      • tick: system uptime in milliseconds
      • ver: version of Tedroo
      • smtp: Returns “ok” if SMTP servers are reachable after checking connectivity to mail servers for Mail,Hotmail,Yahoo,Google and AOL
      • fw: returns firewall status
    • GET /spm/s_task.php?id={removed}&tid=38666 – This request returns a list of email addresses, email content to spam and other information
    • screenshot

  • It spams the new Spyeye trojan. The email is crafted to appear like it originates from DHL:

    screenshot

  • The attachment in the email is a zip file which contains the following file:
    • doc.exe [Detected as GAV: Spyeye.Y (Trojan)]

SonicWALL Gateway AntiVirus provides protection against these threats via the following signatures:

GAV: Tedroo.AQ (Trojan)
GAV: Spyeye.Y (Trojan)

screenshot screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.