Follow:

 

Win32/Oderoor


Backdoor:Win32/Oderoor is a backdoor trojan that allows an attacker access and control of the compromised computer. This trojan may connect with remote web sites and SMTP servers.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Win32/Oderoor is a backdoor trojan that allows an attacker access and control of the compromised computer. This trojan may connect with remote web sites and SMTP servers.
 
The primary method of distribution for the Win32/Oderoor family is via Instant Messenger (IM). Messages are sent via Windows Live Messenger, prompting unsuspecting users to download and execute the trojan from the link provided.
 
This threat may be present as an executable within a .ZIP archive. The executable copy of the trojan may use a file name format similar to the following:
"img_###.JPEG-<e-mail address.com>"
where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address.
 
For example, the trojan has been observed being distributed with the following file names (the e-mail addresses used in these examples have been edited):
img_011.JPEG-******@hotmail.com
pic_921.JPEG-******@yahoo.es.com
foto_420.JPG-******@gmail.com
Installation
When executed, Win32/Oderoor copies itself to the Windows system folder with a random file name, such as srrxfzo.exe. It also adds a registry entry to ensure that it runs at each Windows start, as in the following example:
Adds value: <random letters>
With data: <system folder>\<same random letters>.exe
Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
As a self-protection measure, when the machine is next started, Oderoor may create an additional copy of itself in the system folder with a randomly generated filename. Oderoor also adds a service to run this copy. The service display name and description is randomly chosen from the following list of pairs, while the service name is a randomly generated string:
 
Service Display Name
Description
AOL Antivirus Update Service
AOL Antivirus Update Service keeps your computer up to date.
AOL Connectivity Service
AOL Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
Network Connectivity Service
Network Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
ASF Agent
Intel Alert Standard Format Console is a part of a systems management suite.
Asset Management Daemon
Display configuration software used by several manufacturers.
ASUSKeyboardService
Asus Keyboard service provides additional configuration options for Asus keyboards.
Ati External Event Utility
ATI Video Card Control Panel
Ati HotKey Poller
ATI Video Card Control Panel
Backbone Service
PLM solutions make it possible to design and develop products by creating digital mockups.
bcveServ
Keeps your confidential data in a strongly encrypted form on your disk and provides you with transparent access.
BCL easyPDF SDK Loader
EasyPDF's Printer Driver makes it very easy and affordable to convert any document formats (including Word, Excel, and Powerpoint) to PDF.
BeTwin Terminal Services
Software that allows multiple users to simultaneously and independently share a personal computer.
Blue Coat K9 Web Protection
K9 Web Protection
BsHelpCS
BlueSoleil allows your Bluetooth radio enabled desktop or notebook computer to wirelessly access a wide variety of Bluetooth enabled digital devices.
C-DillaSrv
C-Dilla License Management software from MacroVison.
Canon BJ Memory Card Manager
Canon Bubblejet Memory Card Utility
Microsoft Local Alerter
Allows for fault, performance, and configuration management.
Creative ALchemy AL1 Licensing Service
EAX and 3D Audio restoration in Microsoft Windows.
Crypkey License
CrypKey Software Licensing System from Cobalt Systems
Crystal Report Application Server
Crystal Decisions Report Application Server
IMAPI CD-Burning COM Service
Image Mastering Applications Programming Interface from Microsoft used for CD recording.
PowerUtility TV Recording Reservation
TV Recording Reservation from Fujitso Limited.
RUMBA AS/400 Shared Folders
Provides connectivity from Microsoft Windows desktops to virtually any host system with mission critical reliability.
SigmaTel Audio Service
SigmaTel Audio Service part of the C-Major Audio driver.
SmartLinkService
Smartlink communication product that offers additional support to the modem service.
Websense CPM Report Scheduler
Increase web security and employee productivity through internet policy enforcement.
Winferno Subscription Service
Winferno Subscription Service.
Zip Backup to CD
Data backup software designed to backup your data files to CD/DVD, using the standard Zip file format
Payload
Backdoor Functionality
Oderoor opens up a port greater than 10000 on the infected machine in order to receive commands.
Oderoor contacts a remote server on UDP port 447, with initial infection information, allowing the server to connect back to the infected machine and instruct the malware to perform particular actions.
 
The backdoor is capable of providing the following information to the remote server:
  • Windows version
  • memory/cpu statistics
  • extended internet connection information (i.e. number of allowed connections, adapter information, upload speed)
  • hostname
  • country
  • language
It can also be instructed to perform the following actions:
  • Download and execute arbitrary files
  • Send e-mail via SMTP
  • Harvest e-mail addresses; Oderoor stores the collected addresses in %temp%\<random letters><random digit from 0 -> F>.tmp. It looks for e-mail addresses in the My Documents directory, searching in files with the following extensions:
    123
    asm
    c
    cpp
    csv
    dbf
    dif
    doc
    eps
    h
    htm
    html
    hwp
    inc
    info
    jtd
    nfo
    ott
    pdf
    php
    ps
    rtf
    sdc
    sdw
    slk
    sxw
    sys
    tmp
    txt
    wab
    wk1
    wks
    wpd
    wps
    xml
 
Terminates Processes: MSRT
Win32/Oderoor may create a thread that periodically attempts to terminate the following processes, should they be running on the affected machine:
mrt.exe
mrtstub.exe
These processes are associated with Microsoft's Malicious Software Removal Tool (MSRT).
Additional Information
The Win32/Oderoor executable may use an image file icon.
 
Analysis by Matt McCormack

Symptoms

System Changes
The following system changes may indicate the presence of Backdoor:Win32/Oderoor:
  • Presence of the following registry modification (or similar):
    Adds value: <random letters>
    With data: <system folder>\<same random letters>.exe
  • Within subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Presence of a service with the following details (or similar):
    Service display name:  Print Spooler Service
    Description: <empty>
    Service name: <random letters>
    Startup type: automatic
    Path: <system folder>\<random name>.exe /service
  • Presence of the following file:
    %temp%\<random letters><random digit from 0 to F>.tmp

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Alert level: Severe
This entry was first published on: Apr 22, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases