Backdoor:Win32/Oderoor.gen!A is a backdoor Trojan that allows an attacker access to the compromised computer. This Trojan may connect with remote Web sites and SMTP servers.
This threat may be present within a .ZIP archive as an executable. The executable copy of the Trojan may use a file name format like "img_###.JPEG-<e-mail address.com>" where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address.
Some examples of the Trojan file name (with e-mail address edited):
The file contains a .COM extension, making it a direct executable. When it is run, it will copy itself to the Windows system folder as a random file name, such as srrxfzo.exe. Next, the Trojan will add a registry entry so it will run at each Windows startup, as in this example:
Adds value: <random letters>
With data: <system folder>\<same random letters>.exe
Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Opens TCP Ports
Win32/Oderoor may open a range of 100 high numbered TCP ports, allowing an attacker access to the infected computer. Examples of TCP ports used are values 38811 - 38910, or 48403 - 48502. The actual range selection is random however 100 ports are selected.
Connects With SMTP Servers
This Trojan contains code to gather e-mail addresses, however this functionality was not observed. Win32/Oderoor will try to connect to 3 different SMTP servers:
Connects With Remote Sites
The Trojan attempts to connect to various remote Websites with names like
<random 6 letters>.yi.org
<random 6 letters>mooo.com
Win32/Oderoor has an icon that makes it appears as if it were an image file.
This Trojan may trigger installed firewall applications if connecting to remote Web sites. The sites may be identified by IP address or resolved domain name such as the following:
The offending program will have a randomized filename such as 'btnnlfvisrwu.exe' or 'srrxfzo.exe'.