Win32/Oderoor [Threat Name] go to Threat

Win32/Oderoor.B [Threat Variant Name]

Category trojan
Size 255973 B
Detection created Jun 27, 2014
Detection database version 10010
Aliases Trojan.Win32.Scarsi.wal (Kaspersky)
  Trojan:Win32/Vidro (Microsoft)
  Win32:Vidro-I (Avast)
Short description

Win32/Oderoor.B is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%\­%variable1%.exe
  • %appdata%\­Microsoft\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­Microsoft\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%system%\­%variable1%.exe"

A string with variable content is used instead of %variable1-2% .


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • malware version
  • operating system version
  • information about the operating system and system settings
  • computer name
  • language settings
  • country code
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The trojan contains a list of (51) URLs. The UDP, HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan connects to the following servers to obtain the current date and time:

  • amazon.com
  • aol.com
  • bbc.co.uk
  • cnn.com
  • comcast.net
  • download.com
  • go.com
  • google.com
  • hp.com
  • live.com
  • mozilla.com
  • msn.com
  • news.com
  • weather.com
  • yahoo.com

The following programs are terminated:

  • mrt.exe
  • mrtstub.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.