Home / malwarePDF  

Backdoor:Win32/Oderoor.gen!H


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Oderoor.gen!H is also known as Also Known As:Trojan.Crypt.ZPACK.BGQ (VirusBuster), Win32/Kryptik.QI (ESET), :Trj/Agent.MBF (Panda).

Explanation :

Backdoor:Win32/Oderoor.gen!H is a backdoor trojan that allows an attacker access and control of the compromised computer. This trojan may connect with remote Web sites and SMTP servers.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    naquommug.exe
    fanofoutta.exe
    • Alternatively, this malware may arrive with a different file name. As there are no common symptoms associated with this threat, alert notifications from installed antivirus software may be the only symptom(s).

    Backdoor:Win32/Oderoor.gen!H is a backdoor trojan that allows an attacker access and control of the compromised computer. This trojan may connect with remote Web sites and SMTP servers.ArrivalThe primary method of distribution for the Win32/Oderoor family is via Instant Messenger (IM). Messages are sent via Windows Live Messenger, prompting unsuspecting users to download and execute the trojan from the link provided. This threat may be present as an executable within a .ZIP archive. The executable copy of the trojan may use a file name format similar to the following:
    "img_###.JPEG-<e-mail address.com>"
    where ### is a 3 digit number, and <e-mail address.com> resembles an actual e-mail address. For example, the trojan has been observed being distributed with the following file names (the e-mail addresses used in these examples have been edited):img_011.JPEG-******@hotmail.com
    pic_921.JPEG-******@yahoo.es.com
    foto_420.JPG-******@gmail.com

    Installation
    When executed, Backdoor:Win32/Oderoor.gen!H copies itself to the Windows system folder with a random file name, such as naquommug.exe and fanofoutta.exe. It also adds a registry entry to ensure that it runs at each Windows start, for example:Adds value: "gene"With data: "<system folder>
    aquommug.exe"Within subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun where <malware file name> is the file name this threat uses. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Oderoor also adds a service for its dropped file, as in the following example: Service display name: "BCL easyPDF SDK Loader"
    Description: "EasyPDF's Printer Driver makes it very easy and affordable to convert any document formats (including Word, Excel, and Powerpoint) to PDF."
    Service name: "u7foef6e"
    Startup type: automatic
    Path: "<system folder>fanofoutta.exe"

    Payload
    Performs backdoor functionalityOderoor is capable of providing the following information to the remote server:
  • Windows version
  • Memory/cpu statistics
  • Extended internet connection information (i.e. number of allowed connections, adapter information, upload speed)
  • Hostname
  • Country
  • OS Language
    • It can also be instructed to perform the following actions:
  • Download and execute arbitrary files
  • Send e-mail messages via SMTP
  • Harvest e-mail addresses


    • Analysis by Francis Allan Tan Seng

    Last update 30 June 2009

     

    TOP

    Malware :

    Family: