A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6609  by Xylitol
 Wed Jun 01, 2011 2:26 pm
Trojan.Spambot: Tedroo

https://www.mysonicwall.com/sonicalert/ ... cle&id=317
http://www.bitdefender.com/VIRUS-100036 ... edroo.html

20/42 >> 47.6%
http://www.virustotal.com/file-scan/rep ... 1306935223
Code: Select all
220 mx.google.com ESMTP e25si2595928anp.203
HELO mx1.jbsl.com
250 mx.google.com at your service
MAIL FROM:<kdkddfbf@uaag.com>
250 2.1.0 OK e25si2595928anp.203
RCPT TO:<japanisalie@gmail.com>
250 2.1.5 OK e25si2595928anp.203
354  Go ahead e25si2595928anp.203
Received: from [] ([] helo=localhost.localdomain)
.by smtpn.cmffex.com (envelope-from <kdkddfbf@uaag.com>)
.(ecelerity r(61761)) with ESMTP
.id 39eE-476-4052e629Y6; Wed, 1 Jun 2011 04:04:30 +0100
To: japanisalie@gmail.com
Message-Id: <201106011408.YZNRH659@qhug1.com>
Date: Wed, 1 Jun 2011 04:01:04 +0100
Sender: kdkddfbf@uaag.com
From: "Gucci Louis.Vuitton" <kdkddfbf@uaag.com>
Mime-Version: 1.0
Subject: Replica-SHOP : Luxury Watches, Bags, Shoes vzi
Content-Type: text/plain;
Content-Transfer-Encoding: 8bit

Super Replicas - Luxury Watches, Bags, Jewelry, Phones, Shoes - Unbelievable Pricing!
Watch shows your status! Girls love cool watch! ctl


550-5.7.1 [       7] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
550-5.7.1 this message has been blocked. Please visit                          
550-5.7.1 http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 for
550 5.7.1 more information. e25si2595928anp.203

pwd: xylibox
(269.34 KiB) Downloaded 81 times
 #21664  by C4$h
 Thu Dec 12, 2013 8:59 pm
Hello, knows anyone here new information regarding the Grum bots?
http://krebsonsecurity.com/2012/08/insi ... um-botnet/
I will always whisper the source would be found in the network analysis.
Furthermore, I, the panel of Grum bots sent.
Does a more info or has binary files, source of the bots?

Thank you

best regards
 #21666  by Xylitol
 Thu Dec 12, 2013 9:19 pm
From what's i've saw the 'leaked' package is absolutely broken.
I've released a small fix for the panel anyway (i was curious to see the interface) of course my fix can't be used for 'real case' there is too much work to do and the php code is really ugly, i don't know who coded the web app but... :?
Image Image Image
As see here some actions was took: http://www.kernelmode.info/forum/viewto ... 70&p=14752
But Tedroo guys still continue to use it, current version of grum is 722 and the leaked source is version 447.
There is also some people who like to show-off that they have 'latest' grum, have a look on the html file in attachement and on Spammer.Win32.Tedroo.gen!B.zip for a bin of the latest version.
https://www.virustotal.com/en/file/e497 ... 386885152/
(18.27 KiB) Downloaded 63 times
no password, not malicious.
(237.17 KiB) Downloaded 50 times
(899.02 KiB) Downloaded 58 times