Follow:

 

Backdoor:Win32/Oderoor.gen!A


Backdoor:Win32/Oderoor.gen!A is a backdoor Trojan that allows an attacker access to the compromised computer. This Trojan may connect with remote Web sites and SMTP servers.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Backdoor:Win32/Oderoor.gen!A is a backdoor Trojan that allows an attacker access to the compromised computer. This Trojan may connect with remote Web sites and SMTP servers.
 
Installation
This threat may be present within a .ZIP archive as an executable. The executable copy of the Trojan may use a file name format like "img_###.JPEG-<e-mail address.com>" where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address.
 
Some examples of the Trojan file name (with e-mail address edited):
 img_011.JPEG-******@hotmail.com
 pic_921.JPEG-******@yahoo.es.com
 foto_420.JPG-******@gmail.com
 
The file contains a .COM extension, making it a direct executable. When it is run, it will copy itself to the Windows system folder as a random file name, such as srrxfzo.exe. Next, the Trojan will add a registry entry so it will run at each Windows startup, as in this example:
 Adds value: <random letters>
 With data: <system folder>\<same random letters>.exe
 Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Payload
Opens TCP Ports
Win32/Oderoor may open a range of 100 high numbered TCP ports, allowing an attacker access to the infected computer. Examples of TCP ports used are values 38811 - 38910, or 48403 - 48502. The actual range selection is random however 100 ports are selected.
 
Connects With SMTP Servers
This Trojan contains code to gather e-mail addresses, however this functionality was not observed. Win32/Oderoor will try to connect to 3 different SMTP servers:
 66.249.83.27 (gsmtp83.google.com)
 64.233.163.27 (gsmtp163.google.com)
 66.249.83.114 (gsmtp83-2.google.com)
 
Connects With Remote Sites
The Trojan attempts to connect to various remote Websites with names like
<random 6 letters>.yi.org
<random 6 letters>mooo.com
Additional Information
Win32/Oderoor has an icon that makes it appears as if it were an image file.

Symptoms

This Trojan may trigger installed firewall applications if connecting to remote Web sites. The sites may be identified by IP address or resolved domain name such as the following:
 66.249.83.27 (gsmtp83.google.com)
 64.233.163.27 (gsmtp163.google.com)
 66.249.83.114 (gsmtp83-2.google.com)
 
The offending program will have a randomized filename such as 'btnnlfvisrwu.exe' or 'srrxfzo.exe'.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 07, 2008
This entry was updated on: May 14, 2010

This threat is also detected as:
  • Win32/Agent.worm.83968 (AhnLab)
  • Win32/Agent.NHE (ESET)
  • Email-Worm.Win32.Agent.bg (Kaspersky)
  • W32/Lmir.JXL (Norman)
  • Hacktool.Spammer (Symantec)
  • Worm:Win32/Agent.AM (other)
  • Kraken botnet (other)
  • Backdoor.Spakrab (other)