Win32/Oderoor [Threat Name] go to Threat

Win32/Oderoor.B [Threat Variant Name]

Category trojan
Size 255973 B
Detection created Jun 27, 2014
Detection database version 10010
Aliases Trojan.Win32.Scarsi.wal (Kaspersky)
  Trojan:Win32/Vidro (Microsoft)
  Win32:Vidro-I (Avast)
Short description

Win32/Oderoor.B is a trojan which tries to download other malware from the Internet. It can be controlled remotely.


When executed, the trojan copies itself in some of the the following locations:

  • %system%\­%variable1%.exe
  • %appdata%\­Microsoft\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­Microsoft\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%system%\­%variable1%.exe"

A string with variable content is used instead of %variable1-2% .

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • malware version
  • operating system version
  • information about the operating system and system settings
  • computer name
  • language settings
  • country code
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan generates various URL addresses. The trojan contains a list of (51) URLs. The UDP, HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan connects to the following servers to obtain the current date and time:


The following programs are terminated:

  • mrt.exe
  • mrtstub.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.