Analysis by: Alvin John Nieto

ALIASES:

Win32/Oderoor.A trojan (ESET), Bck/Oderoor.BB (Panda), W32/Oderoor.A!tr (Fortinet)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

It hides files, processes, and/or registry entries.

It steals system information.

  TECHNICAL DETAILS

File Size: 242,688 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 03 Mar 2014
Payload: Connects to URLs/IPs

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

  • http://{BLOCKED}.{BLOCKED}.112.251/club.exe
  • http://{BLOCKED}.{BLOCKED}.112.251/poss.exe

Installation

This backdoor drops the following copies of itself depending on the platform/operating system of the affected computer:

  • %System%\{Random characters}.exe
  • %Application Data%\Microsoft\{Random characters}.exe (Windows Vista and 7 only)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Random characters} = "%System%\{Random characters}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random characters} = "%ApplicationData%\Microsoft\{Random characters}.exe"

Backdoor Routine

This backdoor executes the following command(s) from a remote malicious user:

  • Download files
  • Execute files
  • Generate spam mails

Rootkit Capabilities

This backdoor hides files, processes, and/or registry entries.

Process Termination

This backdoor terminates the following processes if found running in the affected system's memory:

  • mrt.exe
  • mrtstub.exe

Information Theft

This backdoor steals system information.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

  • www.yahoo.com
  • www.google.com
  • www.live.com
  • www.msn.com
  • www.aol.com
  • www.amazon.com
  • www.go.com
  • www.bbc.co.uk
  • www.cnn.com
  • www.news.com
  • www.download.com
  • www.weather.com
  • www.comcast.net
  • www.mozilla.com
  • www.hp.com

It connects to the following URL(s) to get the affected system's IP address:

  • http://www.showipaddress.com/
  • http://www.find-ip-address.org/
  • http://www.ipaddress.com/
  • http://www.ip-address.com/
  • http://whatismyipaddress.com/
  • http://www.grokster.com/
  • http://www.myipaddress.com/
  • http://www.ipchicken.com/
  • http://checkip.dydns.com/

NOTES:

This backdoor attempts to access its C&C server using the following generated URLs:

  • {randomly generated domain}.net
  • {randomly generated domain}.tv
  • {randomly generated domain}.cc
  • {randomly generated domain}.com

It may register a copy of itself under one of the following service names and descriptions:

  • AOL Antivirus Update Service - AOL Antivirus Update Service keeps your computer up to date.
  • AOL Connectivity Service - AOL Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
  • ASF Agent - Intel Alert Standard Format Console is a part of a systems management suite.
  • Asset Management Daemon - Display configuration software used by several manufacturers.
  • ASUSKeyboardService - Asus Keyboard service provides additional configuration options for Asus keyboards.
  • Ati External Event Utility - ATI Video Card Control Panel
  • Ati HotKey Poller - ATI Video Card Control Panel
  • Backbone Service - PLM solutions make it possible to design and develop products by creating digital mockups.
  • BCL easyPDF SDK Loader - EasyPDF's Printer Driver makes it very easy and affordable to convert any document formats (including Word, Excel, and Powerpoint) to PDF.
  • bcveServ - Keeps your confidential data in a strongly encrypted form on your disk and provides you with transparent access.
  • BeTwin Terminal Services - Software that allows multiple users to simultaneously and independently share a personal computer.
  • Blue Coat K9 Web Protection - K9 Web Protection
  • BsHelpCS - BlueSoleil allows your Bluetooth radio enabled desktop or notebook computer to wirelessly access a wide variety of Bluetooth enabled digital devices.
  • C-DillaSrv - C-Dilla License Management software from MacroVison.
  • Canon BJ Memory Card Manager - Canon Bubblejet Memory Card Utility
  • Creative ALchemy AL1 Licensing Service - EAX and 3D Audio restoration in Microsoft Windows.
  • Crypkey License - CrypKey Software Licensing System from Cobalt Systems
  • Crystal Report Application Server - Crystal Decisions Report Application Server
  • IMAPI CD-Burning COM Service - Image Mastering Applications Programming Interface from Microsoft used for CD recording.
  • Microsoft Local Alerter - Allows for fault, performance, and configuration management.
  • Network Connectivity Service - Network Connectivity Service - starts an automatic function that restores the connection should you lose it while online.
  • PowerUtility TV Recording Reservation - TV Recording Reservation from Fujitso Limited.
  • RUMBA AS/400 Shared Folders - Provides connectivity from Microsoft Windows desktops to virtually any host system with mission critical reliability.
  • SigmaTel Audio Service - SigmaTel Audio Service part of the C-Major Audio driver.
  • SmartLinkService - Smartlink communication product that offers additional support to the modem service.
  • Websense CPM Report Scheduler - Increase web security and employee productivity through internet policy enforcement.
  • Winferno Subscription Service - Winferno Subscription Service.
  • Zip Backup to CD - Data backup software designed to backup your data files to CD/DVD, using the standard Zip file format

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 10.646.01
FIRST VSAPI PATTERN DATE: 06 Mar 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • {Random characters} = "%System%\{Random characters}.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {Random characters} = "%ApplicationData%\Microsoft\{Random characters}.exe"

Step 4

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_ODEROOR.OGJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.