Backdoor:Win32/Oderoor.gen!A is a backdoor Trojan that allows an attacker access to the compromised computer. This Trojan may connect with remote Web sites and SMTP servers.
Installation
This threat may be present within a .ZIP archive as an executable. The executable copy of the Trojan may use a file name format like "img_###.JPEG-<e-mail address.com>" where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address.
Some examples of the Trojan file name (with e-mail address edited):
img_011.JPEG-******@hotmail.com
pic_921.JPEG-******@yahoo.es.com
foto_420.JPG-******@gmail.com
The file contains a .COM extension, making it a direct executable. When it is run, it will copy itself to the Windows system folder as a random file name, such as srrxfzo.exe. Next, the Trojan will add a registry entry so it will run at each Windows startup, as in this example:
Adds value: <random letters>
With data: <system folder>\<same random letters>.exe
Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Opens TCP Ports
Win32/Oderoor may open a range of 100 high numbered TCP ports, allowing an attacker access to the infected computer. Examples of TCP ports used are values 38811 - 38910, or 48403 - 48502. The actual range selection is random however 100 ports are selected.
Connects With SMTP Servers
This Trojan contains code to gather e-mail addresses, however this functionality was not observed. Win32/Oderoor will try to connect to 3 different SMTP servers:
66.249.83.27 (gsmtp83.google.com)
64.233.163.27 (gsmtp163.google.com)
66.249.83.114 (gsmtp83-2.google.com)
Connects With Remote Sites
The Trojan attempts to connect to various remote Websites with names like
<random 6 letters>.yi.org
<random 6 letters>mooo.com
Additional Information
Win32/Oderoor has an icon that makes it appears as if it were an image file.