Spammer:Win32/Tedroo.AA is a trojan that is used to send spam. It may disable a number of Windows services, including the Windows Firewall and Shared Access.
Installation
When run, Spammer:Win32/Tedroo.AA attempts to copy itself to the system as C:\windows\system32\servises.exe. It also creates the file C:\windows\system32\_id.dat.
It modifies the system registry so that its copy automatically runs whenever Windows starts:
Under value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "servises"
With data: "<system folder>\servises.exe"
Under value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "servises"
With data: "<system folder>\servises.exe"
Under value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "servises"
With data: "<system folder>\servises.exe"
Under value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "servises"
With data: "<system folder>\servises.exe"
It also creates the following registry entries as part of its installation routine:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\services
Adds value: "del"
With data: "<system folder>\servises.exe"
Payload
Sends spam e-mail messages
Spammer:Win32/Tedroo.AA sends spam e-mail messages from the infected system. Initially it connects to IP 91.207.7.234 and sends selected information regarding the configuration of the affected computer. In response, it receives the content of the spam e-mail to send, and a list of recipient e-mail addresses to target.
Modifies system settings
Spammer:Win32/Tedroo.AA modifies some of the system's settings, such as the following:
Modifies Windows Firewall settings
Spammer:Win32/Tedroo.AA disables the Windows firewall by editing the following registry entries:
Under value: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Adds value: "EnableFirewall"
With data: "0"
Under value: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Adds value: "EnableFirewall"
With data: "0"
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallDisableNotify"
With data: "1"
Under value: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "FirewallOverride"
With data: "1"
Analysis by Jaime Wong