BKDR_ODEROOR.OGJ

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

It hides files, processes, and/or registry entries.

It steals system information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

• http://{BLOCKED}.{BLOCKED}.112.251/club.exe
• http://{BLOCKED}.{BLOCKED}.112.251/poss.exe

Installation

This backdoor drops the following copies of itself depending on the platform/operating system of the affected computer:

• %System%\{Random characters}.exe
• %Application Data%\Microsoft\{Random characters}.exe (Windows Vista and 7 only)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Random characters} = "%System%\{Random characters}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random characters} = "%ApplicationData%\Microsoft\{Random characters}.exe"

Backdoor Routine

This backdoor executes the following command(s) from a remote malicious user:

• Download files
• Execute files
• Generate spam mails

Rootkit Capabilities

This backdoor hides files, processes, and/or registry entries.

Process Termination

This backdoor terminates the following processes if found running in the affected system's memory:

• mrt.exe
• mrtstub.exe

Information Theft

This backdoor steals system information.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• www.yahoo.com
• www.google.com
• www.live.com
• www.msn.com
• www.aol.com
• www.amazon.com
• www.go.com
• www.bbc.co.uk
• www.cnn.com
• www.news.com
• www.download.com
• www.weather.com
• www.comcast.net
• www.mozilla.com
• www.hp.com

It connects to the following URL(s) to get the affected system's IP address:

• http://www.showipaddress.com/
• http://www.find-ip-address.org/
• http://www.ipaddress.com/
• http://www.ip-address.com/
• http://whatismyipaddress.com/
• http://www.grokster.com/
• http://www.myipaddress.com/
• http://www.ipchicken.com/
• http://checkip.dydns.com/

NOTES:

This backdoor attempts to access its C&C server using the following generated URLs:

• {randomly generated domain}.net
• {randomly generated domain}.tv
• {randomly generated domain}.cc
• {randomly generated domain}.com

It may register a copy of itself under one of the following service names and descriptions:

• AOL Antivirus Update Service - AOL Antivirus Update Service keeps your computer up to date.
• AOL Connectivity Service - AOL Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
• ASF Agent - Intel Alert Standard Format Console is a part of a systems management suite.
• Asset Management Daemon - Display configuration software used by several manufacturers.
• ASUSKeyboardService - Asus Keyboard service provides additional configuration options for Asus keyboards.
• Ati External Event Utility - ATI Video Card Control Panel
• Ati HotKey Poller - ATI Video Card Control Panel
• Backbone Service - PLM solutions make it possible to design and develop products by creating digital mockups.
• BCL easyPDF SDK Loader - EasyPDF's Printer Driver makes it very easy and affordable to convert any document formats (including Word, Excel, and Powerpoint) to PDF.
• bcveServ - Keeps your confidential data in a strongly encrypted form on your disk and provides you with transparent access.
• BeTwin Terminal Services - Software that allows multiple users to simultaneously and independently share a personal computer.
• Blue Coat K9 Web Protection - K9 Web Protection
• BsHelpCS - BlueSoleil allows your Bluetooth radio enabled desktop or notebook computer to wirelessly access a wide variety of Bluetooth enabled digital devices.
• C-DillaSrv - C-Dilla License Management software from MacroVison.
• Canon BJ Memory Card Manager - Canon Bubblejet Memory Card Utility
• Creative ALchemy AL1 Licensing Service - EAX and 3D Audio restoration in Microsoft Windows.
• Crypkey License - CrypKey Software Licensing System from Cobalt Systems
• Crystal Report Application Server - Crystal Decisions Report Application Server
• IMAPI CD-Burning COM Service - Image Mastering Applications Programming Interface from Microsoft used for CD recording.
• Microsoft Local Alerter - Allows for fault, performance, and configuration management.
• Network Connectivity Service - Network Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
• PowerUtility TV Recording Reservation - TV Recording Reservation from Fujitso Limited.
• RUMBA AS/400 Shared Folders - Provides connectivity from Microsoft Windows desktops to virtually any host system with mission critical reliability.
• SigmaTel Audio Service - SigmaTel Audio Service part of the C-Major Audio driver.
• SmartLinkService - Smartlink communication product that offers additional support to the modem service.
• Websense CPM Report Scheduler - Increase web security and employee productivity through internet policy enforcement.
• Winferno Subscription Service - Winferno Subscription Service.
• Zip Backup to CD - Data backup software designed to backup your data files to CD/DVD, using the standard Zip file format