Home / malware TrojanDownloader:Win32/Oderoor.gen!A
First posted on 18 August 2019.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Oderoor.gen!A.
Explanation :
TrojanDownloader:Win32/Oderoor.gen!A is a trojan that downloads Backdoor:Win32/Oderoor - a backdoor trojan that allows an attacker access and control of the compromised computer. The primary method of distribution for the Win32/Oderoor family is via Instant Messenger (IM). Messages are sent via Windows Live Messenger, prompting unsuspecting users to download and execute the trojan from the link provided. This threat may be present as an executable within a .ZIP archive. The executable copy of the trojan may use a file name format similar to the following:
"img_###.JPEG-"
where ### is a 3 digit number, andresembles an actual e-mail address. For example, the trojan has been observed being distributed with the following file names (the e-mail addresses used in these examples have been edited): img_011.JPEG-******@hotmail.com
pic_921.JPEG-******@yahoo.es.com
foto_420.JPG-******@gmail.com Payload Downloads and Installs Additional MalwareOnce executed, the trojan checks whether "uvnrluthw.yi.org" or "tolskhbrwi.yi.org" exists, then proceeds to download and execute additional malware from a predefined IP address. Known variants have been observed using the following IP addresses: 66.29.89.23
66.29.87.110
66.29.87.111 The trojan listens on a range of 105 TCP ports for instructions from its backdoor component. The port range varies across variants. Known port ranges include the following: 22933 - 23037
39036 - 39140
42942 - 43046
45538 - 45642
46385 - 46489 Additional InformationFor more information on this malware, please see our Win32/Oderoor description elsewhere in our encyclopedia. Analysis by Shali HsiehLast update 18 August 2019