Tedroo Spam Trojan

March 11, 2011

SonicWALL UTM Research discovered a newer variant of Tedroo trojan spreading in the wild. This variant of the Tedroo trojan was in turn found to be spamming the newer variant of Spyeye trojan. When the Tedroo trojan is downloaded and executed it performs the following activities:

  • It creates the following files:
    • %temp%DATF2.tmp.exe (Copy of Itself) [Detected as GAV: Tedroo.AQ (Trojan)]
    • %windir%system32driversstr.sys (encrypted data file)

  • It creates the following registry entry to ensure that the dropped malware runs as a service on every system reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceshxwclmobypwlr: "%temp%DATF2.tmp.exe"
  • It makes the following HTTP requests to a remote IP address:
    • POST /548/getcfg.php - This request returns a configuration file which is encrypted
    • GET /spm/s_get_host.php?ver=548 - This request retuns the public IP address of the infected host
    • GET /spm/s_alive.php?id={removed}&tick=1691546&ver=548&smtp=ok&sl=1&fw=0&pn=0&psr=0 -
      It reports back information regarding the infected machine with various parameters. Some of the parameters used are:
      • id: random id for infected machine
      • tick: system uptime in milliseconds
      • ver: version of Tedroo
      • smtp: Returns "ok" if SMTP servers are reachable after checking connectivity to mail servers for Mail,Hotmail,Yahoo,Google and AOL
      • fw: returns firewall status
    • GET /spm/s_task.php?id={removed}&tid=38666 - This request returns a list of email addresses, email content to spam and other information
    • screenshot

  • It spams the new Spyeye trojan. The email is crafted to appear like it originates from DHL:


  • The attachment in the email is a zip file which contains the following file:
    • doc.exe [Detected as GAV: Spyeye.Y (Trojan)]

SonicWALL Gateway AntiVirus provides protection against these threats via the following signatures:

GAV: Tedroo.AQ (Trojan)
GAV: Spyeye.Y (Trojan)

screenshot screenshot