Win32/Oderoor is a backdoor trojan that allows an attacker access and control of the compromised computer. This trojan may connect with remote web sites and SMTP servers.
The primary method of distribution for the Win32/Oderoor family is via Instant Messenger (IM). Messages are sent via Windows Live Messenger, prompting unsuspecting users to download and execute the trojan from the link provided.
This threat may be present as an executable within a .ZIP archive. The executable copy of the trojan may use a file name format similar to the following:
"img_###.JPEG-<e-mail address.com>"
where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address.
For example, the trojan has been observed being distributed with the following file names (the e-mail addresses used in these examples have been edited):
img_011.JPEG-******@hotmail.com
pic_921.JPEG-******@yahoo.es.com
foto_420.JPG-******@gmail.com
Installation
When executed, Win32/Oderoor copies itself to the Windows system folder with a random file name, such as srrxfzo.exe. It also adds a registry entry to ensure that it runs at each Windows start, as in the following example:
Adds value: <random letters>
With data: <system folder>\<same random letters>.exe
Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
As a self-protection measure, when the machine is next started, Oderoor may create an additional copy of itself in the system folder with a randomly generated filename. Oderoor also adds a service to run this copy. The service display name and description is randomly chosen from the following list of pairs, while the service name is a randomly generated string:
Service Display Name | Description |
AOL Antivirus Update Service | AOL Antivirus Update Service keeps your computer up to date.
|
AOL Connectivity Service | AOL Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
|
Network Connectivity Service | Network Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
|
ASF Agent
| Intel Alert Standard Format Console is a part of a systems management suite.
|
Asset Management Daemon
| Display configuration software used by several manufacturers.
|
ASUSKeyboardService
| Asus Keyboard service provides additional configuration options for Asus keyboards.
|
Ati External Event Utility
| ATI Video Card Control Panel
|
Ati HotKey Poller
| ATI Video Card Control Panel
|
Backbone Service
| PLM solutions make it possible to design and develop products by creating digital mockups.
|
bcveServ
| Keeps your confidential data in a strongly encrypted form on your disk and provides you with transparent access.
|
BCL easyPDF SDK Loader
| EasyPDF's Printer Driver makes it very easy and affordable to convert any document formats (including Word, Excel, and Powerpoint) to PDF.
|
BeTwin Terminal Services | Software that allows multiple users to simultaneously and independently share a personal computer.
|
Blue Coat K9 Web Protection
| K9 Web Protection
|
BsHelpCS
| BlueSoleil allows your Bluetooth radio enabled desktop or notebook computer to wirelessly access a wide variety of Bluetooth enabled digital devices.
|
C-DillaSrv
| C-Dilla License Management software from MacroVison.
|
Canon BJ Memory Card Manager
| Canon Bubblejet Memory Card Utility
|
Microsoft Local Alerter
| Allows for fault, performance, and configuration management.
|
Creative ALchemy AL1 Licensing Service
| EAX and 3D Audio restoration in Microsoft Windows.
|
Crypkey License
| CrypKey Software Licensing System from Cobalt Systems
|
Crystal Report Application Server
| Crystal Decisions Report Application Server
|
IMAPI CD-Burning COM Service
| Image Mastering Applications Programming Interface from Microsoft used for CD recording.
|
PowerUtility TV Recording Reservation
| TV Recording Reservation from Fujitso Limited.
|
RUMBA AS/400 Shared Folders | Provides connectivity from Microsoft Windows desktops to virtually any host system with mission critical reliability.
|
SigmaTel Audio Service
| SigmaTel Audio Service part of the C-Major Audio driver.
|
SmartLinkService
| Smartlink communication product that offers additional support to the modem service.
|
Websense CPM Report Scheduler
| Increase web security and employee productivity through internet policy enforcement.
|
Winferno Subscription Service | Winferno Subscription Service.
|
Zip Backup to CD
| Data backup software designed to backup your data files to CD/DVD, using the standard Zip file format |
Payload
Backdoor Functionality
Oderoor opens up a port greater than 10000 on the infected machine in order to receive commands.
Oderoor contacts a remote server on UDP port 447, with initial infection information, allowing the server to connect back to the infected machine and instruct the malware to perform particular actions.
The backdoor is capable of providing the following information to the remote server:
It can also be instructed to perform the following actions:
Download and execute arbitrary files
Send e-mail via SMTP
Harvest e-mail addresses; Oderoor stores the collected addresses in %temp%\<random letters><random digit from 0 -> F>.tmp. It looks for e-mail addresses in the My Documents directory, searching in files with the following extensions:
123
asm
c
cpp
csv
dbf
dif
doc
eps
h
htm
html
hwp
inc
info
jtd
nfo
ott
pdf
php
ps
rtf
sdc
sdw
slk
sxw
sys
tmp
txt
wab
wk1
wks
wpd
wps
xml
Terminates Processes: MSRT
Win32/Oderoor may create a thread that periodically attempts to terminate the following processes, should they be running on the affected machine:
mrt.exe
mrtstub.exe
These processes are associated with Microsoft's Malicious Software Removal Tool (MSRT).
Additional Information
The Win32/Oderoor executable may use an image file icon.
Analysis by Matt McCormack