{
	"id": "8f062808-be49-4290-9c06-3910dc7e58be",
	"created_at": "2026-04-06T03:35:58.862613Z",
	"updated_at": "2026-04-10T13:11:30.100371Z",
	"deleted_at": null,
	"sha1_hash": "7b9ea9b39cbd0279f72d7aea1de059cca14b13f0",
	"title": "BackDoor.Whitebird.1 — How to quickly look up a virus in the Dr.Web virus database",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 171625,
	"plain_text": "BackDoor.Whitebird.1 — How to quickly look up a virus in the\r\nDr.Web virus database\r\nPublished: 2020-07-14 · Archived: 2026-04-06 03:25:52 UTC\r\nPacker: absent\r\nCompilation date: 28.05.2018 23:14:08\r\nSHA1 hash:\r\ne70a5ce00b3920d83810496eab6b0d028c5f746e\r\nDescription\r\nA multifunctional backdoor trojan for Microsoft Windows 64-bit operating systems. Its function is to establish an\r\nencrypted connection with the C\u0026C server and grant unauthorized access to the infected computer. It has a file\r\nmanager, proxy server and remote shell capabilities. It was used in targeted attacks on state institutions in\r\nKazakhstan and Kyrgyzstan. Similar to BackDoor.PlugX, this modification was used to infiltrate the network\r\ninfrastructure.\r\nOperating principle\r\nThe trojan represents a dynamic library with the MyInstall exported function. Upon infecting the targeted system,\r\nit is installed in the C:\\Windows\\System32\\oci.dll directory.\r\nThe program launches as follows. Upon operating system boot, a Microsoft Distributed Transaction Coordinator\r\n(MSDTC) is launched. The Windows registry contains the parameters of this service, which hold the names of the\r\nloading libraries. By default, the OracleOciLib and OracleOciLibPath keys in the\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI branch have the values of oci.dll and\r\n%systemroot%\\system32 accordingly. . When the trojan is placed in %systemroot%\\system32\\oci.dll, it will be\r\nautomatically loaded onto the memory when the MSDTC starts.\r\nWhen initialized, it creates a gfhfgh6y76734d,1111 mutex, followed by the library loading and the MyInstall\r\nexported function call.\r\nMyInstall\r\nThe trojan can determine if the proxy server should be used and can perform a basic authentication and\r\nauthorization via the NTLM protocol. When running, it logs records in the journal, saving it as\r\nc:\\programdata\\logos.txt.\r\nIt connects to the C\u0026C server and exchanges the keys with it. All subsequent packets between the trojan and the\r\nserver are encrypted. The algorithm based on the XOR operation with the buffer length of 28 bytes is used for\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 1 of 9\n\ndecryption. All packets are encrypted with an end-to-end offset in the buffer; but for the encryption and\r\ndecryption, separate counters are used.\r\nThe following structure is used to request commands from the server and send the results:\r\n#pragma pack(push, 1)\r\nstruct st_getcmd\r\n{\r\n _DWORD sig;\r\n _DWORD cmd;\r\n _DWORD res;\r\n _DWORD dwordc;\r\n};\r\n#pragma pack(pop)\r\nThe sig parameter always has a 0x03 value. To request the command from the server, the cmd parameter is set as\r\n0x200, and the res and dwordc parameters are set to zero. If the server does not send any data within 44 seconds,\r\nthe trojan sends a packet containing the cmd parameter with the 0x00 value. This process repeats until any\r\nresponse is received from the server.\r\nCommands list\r\nThe commands the trojan can execute, as well as its response to them, are shown below:\r\n0x00 — lack of the reply, awaiting the next command;\r\n0x01 (collecting information about the bot) — replies with the cmd_botinfo structure:\r\n#pragma pack(push, 1)\r\nstruct cmd_botinfo_int\r\n{\r\n _DWORD sig; // 0x03\r\n _DWORD OSMajorVersion;\r\n _DWORD OSMinorVersion;\r\n _DWORD OSPlatformId;\r\n _DWORD userpriv;\r\n _DWORD botip;\r\n _QWORD MemTotalPhys;\r\n _BYTE macaddr[6];\r\n wchar_t szCSDVersion[128];\r\n wchar_t hostname[64];\r\n wchar_t username[64];\r\n char connect_string[256];\r\n};\r\n \r\nstruct cmd_botinfo\r\n{\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 2 of 9\n\n_BYTE sig; // 0x03\r\n _WORD len; // 0x3AC\r\n _WORD cmdid;\r\n _BYTE gap[10];\r\n cmd_botinfo_int info;\r\n};\r\n#pragma pack(pop)\r\n0x02 (remote shell launch) — replies with the packet, similar to the one received from the server;\r\n0x03 (advanced file system manager launch) — replies with the packet, similar to the one received from\r\nthe server;\r\n0х05 (remote shell v2 launch) — replies with the packet, similar to the one received from the server;\r\n0x06 (proxy manager launch) — replies with the packet, similar to the one received from the server;\r\n0x100 (the ping command) — replies with cmd=0x00;\r\n0x400 (the command to reconnect to the server) — replies with cmd=0x300;\r\n0x600 (dummy command) — replies with cmd=0x600; res=0xffffffff;\r\n0x700 (launch of the command through ShellExecute) — replies with cmd=0x700; if failed, replies with\r\nres=0xffffffff.\r\nExchanging keys\r\nThe process of exchanging keys with the C\u0026C server is as follows:\r\nUsing random values, the trojan initializes the buffer with the size of 28 bytes. Next, it takes the data array of the\r\n58 bytes size, which is embedded into its body.\r\nIt encrypts bytes from 15 to 43, based on the XOR operation algorithm, using randomly generated bytes, and\r\nsends the resulting buffer to the server. In response, it should receive 5 bytes, where 0x16 is a 0 byte and the htons\r\nfunction results from WORD, starting with the third byte, which is the size of the next packet, and shouldn’t\r\nexceed 0x3FF9 bytes.\r\nAfter that, it receives the next packet, whose data is used in the next exchange.\r\nNext, the trojan uses the second encoded buffer with the size of 332 bytes.\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 3 of 9\n\nThe trojan encrypts the bytes, starting from 9 to 265 and from 304 to 332, with the algorithm based on the XOR\r\noperation, using randomly generated bytes. 28 bytes, starting from 276 bytes, is replaced with the data generated\r\nupon the first buffer initialization. There must be a response of 5 bytes, where the 0 byte is 0x14, and the htons\r\nfunction results from WORD, starting with the 3rd byte, which is the size of next packet, and should not exceed\r\n0x3FF9 bytes.\r\nAfter that, it receives the next packet, whose data is not used in further exchange.\r\nNext, the trojan receives 5 bytes from the C\u0026C server, where 0x16 is the 0 byte, and the htons function results\r\nfrom WORD, starting with the 3rd byte, which is the size of the next packet, and should not exceed 0x38 bytes.\r\nIt receives the next packet from the C\u0026C server and sends 0х38 bytes into the encryption key initialization\r\nfunction:\r\n__int64 __fastcall CCrypt::GenKeys(ccrypt *this, _BYTE *ext_key)\r\n{\r\n __int64 result; // rax\r\n int i; // [rsp+0h] [rbp-18h]\r\n for ( i = 0; i \u003c 28; ++i )\r\n {\r\n this-\u003ekey[i] ^= ext_key[i];\r\n this-\u003ekey[i] ^= ~(_BYTE)i;\r\n if ( !this-\u003ekey[i] )\r\n this-\u003ekey[i] = ~(_BYTE)i;\r\n result = (unsigned int)(i + 1);\r\n }\r\n return result;\r\n}\r\nRemote Shell Function\r\nThe trojan copies %WINDIR%\\System32\\cmd.exe into %WINDIR%\\alg.exe. It then initializes a new connection\r\nto the C\u0026C server and sends the following packet:\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 4 of 9\n\n#pragma pack(push,1)\r\nstruct cmd_remoteshell\r\n{\r\n _WORD sig; // 0x03\r\n _WORD len;\r\n _WORD cmd; // 0x02\r\n _BYTE gap[10];\r\n _BYTE macaddr[6];\r\n};\r\n#pragma pack(pop)\r\nNext, it launches a scanned alg.exe with the pipes input/output redirection. If the launch fails, it runs a cmd.exe\r\ninstead of the alg.exe. If there is data in the output function pipe, the trojan sends the data to the server in the\r\nfollowing packet:\r\n#pragma pack(push,1)\r\nstruct cmd_remoteshell_out\r\n{\r\n _WORD sig; // 0x03\r\n _WORD len;\r\n _WORD cmd; // 0x202\r\n _BYTE gap[10];\r\n wchar_t buffer[];\r\n};\r\n#pragma pack(pop)\r\nHerewith, the trojan periodically checks for data from the C\u0026C server and parses the incoming command when\r\nthe data has been received.\r\nList of Remote Shell Commands\r\nCommand Description Argument Response\r\n0x100 keep-alive mode - cmd = 0x00\r\n0x102\r\nexecutes the command in the\r\nRemote Shell\r\na command -\r\n0x103\r\nlaunches the file manager\r\n(writing into the end of\r\nexisting file)\r\na path to the file, the\r\nfinal size of the file\r\ncmd value is identical to the\r\nvalue in the packet received\r\nfrom the server;\r\nres = -1 if failed;\r\nres = 0 if succeed. 0x203\r\nlaunches the file manager\r\n(reading from the file)\r\na path to the\r\nexecutable file, an\r\noffset in the file\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 5 of 9\n\nCommand Description Argument Response\r\n0x703 launches an application\r\na path to the\r\nexecutable file and\r\narguments\r\nres = -1 if failed; res = 0 if\r\nsucceed.\r\nthe remaining\r\nvariants\r\ndefault behavior -\r\ncmd value is identical to the\r\nvalue of the packet received\r\nfrom the server;\r\nres = 1.\r\nRemote Shell v2\r\nThe trojan copies %WINDIR%\\System32\\cmd.exe into the %WINDIR%\\alg.exe. It then initializes a new\r\nconnection to the C\u0026C server and sends the following packet:\r\n#pragma pack(push,1)\r\nstruct cmd_remoteshell\r\n{\r\n _WORD sig; // 0x03\r\n _WORD len;\r\n _WORD cmd; // 0x02\r\n _BYTE gap[10];\r\n _BYTE macaddr[6];\r\n};\r\n#pragma pack(pop)\r\nNext, it launches a copied alg.exe; if launch has failed, it runs a cmd.exe instead of the alg.exe. Input/output to the\r\nlaunched process is implemented via the trojan process joining to the console of the launched alg.exe/cmd.exe\r\nprocess, using the WINAPI AttachConsole.\r\nThe rest of the operation routine is similar to the one in the Reverse Shell handler.\r\nFile manager\r\nThe trojan initializes a new connection to the C\u0026C server and sends the following packet:\r\n#pragma pack(push,1)\r\nstruct cmd_fileop\r\n{\r\n _WORD sig; // 0x03\r\n _WORD len;\r\n _WORD cmd;\r\n _WORD gap;\r\n _DWORD res;\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 6 of 9\n\n_DWORD filesize;\r\n _BYTE macaddr[6];\r\n};\r\n#pragma pack(pop)\r\nThe cmd value is set to the same value in the server packet. Next, the trojan receives commands from the server.\r\n0x103:\r\nChecks for the file availability. If it does not exist, it sends the packet with the res = 0xB7 value; Tries to\r\nopen the file in append mode. If failed, it sends the packet with the res = 0x52 value;\r\nReceives the file size and sets filesize filed to the corresponding value in the subsequent packets;\r\nReceives packets in a cycle with the cmd = 0x303 packet value and writes the data into the file until the file\r\nsize is larger or equal to the one the server indicated in the first packet.\r\n0x203:\r\nTries to open the file in reading mode. If failed, it sends the packet with the res = 0x02 value;\r\nReceives the file size and sends it to the server in the packet;\r\nIn a cycle, it reads the file, starting from the offset, which is indicated in filesize the first packet received\r\nfrom the server, and sends the data in the packet with the cmd = 0x303 value to the server until the file\r\nhasn’t been read to its end.\r\n0x403:\r\nIf the C\u0026C server sends the path as an argument, the trojan lists the files and folders available in this path\r\n(not recursively) and sends the collected information with the cmd = 0x403 value to the server;\r\nIf the C\u0026C server does not specify the argument or if the first symbol of the argument is '/' or '\\\\', the trojan\r\nlists every storage device and collects the data, including the disk type, its size and free space available,\r\nand then sends this data to the server in the packet with the cmd = 0x403 value.\r\n0x503:\r\nMoves a file (the initial and final paths are specified by the C\u0026C server). In response, it sends the packet\r\nwith the cmd = 0x503 and res = 0 values if succeeded; otherwise, it sends the packet with the res = -1\r\nvalue.\r\n0x603:\r\nDeletes the file located in the path, specified by the server. In response, it sends the packet with the cmd =\r\n0x603 and res = 0 values if succeeded; otherwise, it sends the packet with the res = -1 value.\r\n0x703:\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 7 of 9\n\nLaunches an application specified by the server by using specific arguments. In response, it sends the\r\npacket with the cmd = 0x703 and res = 0 values if succeeded; otherwise, it sends the packet with the res =\r\n-1 value.\r\nProxy manager\r\nThe trojan initiates a new connection to the server and sends the following packet to it:\r\n#pragma pack(push,1)\r\nstruct cmd_proxy\r\n{\r\n _WORD sig; // 0x03\r\n _WORD len;\r\n _WORD cmd; // 0x06\r\n _BYTE gap[10];\r\n _BYTE macaddr[6];\r\n};\r\n#pragma pack(pop)\r\nNext, it receives the commands from the server.\r\n0x106:\r\nOpens one of the available ports;\r\nSends a packet with the cmd = 0x506 value to the server;\r\nConnects to the targeted server using the IP and port, specified by the C\u0026C server;\r\nWaits for the incoming connection to its port. Upon receiving the data, it sends it to the server it is\r\nconnected to;\r\nIf the trojan receives the data from the targeted server, it sends it to the C\u0026C server in the packet with the\r\ncmd = 0x116 value;\r\nReturns to waiting for the incoming connection to its port. Upon receiving the data, it sends it to the server\r\nit is connected to.\r\n0x116:\r\nIf there is an incoming connection to a previously opened port, the trojan sends the raw data to the client\r\nwithout using the encryption standard to the trojan.\r\n0x126:\r\nStops the proxy and closes all opened connections.\r\n0x206:\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 8 of 9\n\nSends the packet with the cmd = 0x506 value to the C\u0026C server;\r\nOpens a port specified by the server;\r\nWaits for the incoming connection to the specified port;\r\nConnects to the targeted server specified by the C\u0026C server;\r\nForwards the traffic from the local port to the remote server and backwards as raw data, not using the\r\nencryption, standard to the trojan.\r\n0x306:\r\nReceives two ports as an argument;\r\nSends the packet with the cmd = 0x506 value to the C\u0026C server;\r\nOpens first port (master port) and waits for the connection;\r\nOpens the second port (client port) and waits for the connection;\r\nOpens a random port and sends its number to the target, which is currently connected to the master port.\r\nNext, it waits for the incoming connection on the specified port;\r\nForwards the traffic between the clients, which connected to the master port and random port.\r\n0x406:\r\nReceives two pairs of IP:port as an argument;\r\nConnects to the first server and receives 2 bytes from it, which are the port number;\r\nConnects to the same server through the received port;\r\nConnects to the second server, specified in the incoming arguments;\r\nForward the traffic between previously established connections.\r\n0x606:\r\nStops proxy server operation.\r\nSource: https://vms.drweb.co.jp/virus/?i=21507715\r\nhttps://vms.drweb.co.jp/virus/?i=21507715\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://vms.drweb.co.jp/virus/?i=21507715"
	],
	"report_names": [
		"?i=21507715"
	],
	"threat_actors": [],
	"ts_created_at": 1775446558,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b9ea9b39cbd0279f72d7aea1de059cca14b13f0.pdf",
		"text": "https://archive.orkl.eu/7b9ea9b39cbd0279f72d7aea1de059cca14b13f0.txt",
		"img": "https://archive.orkl.eu/7b9ea9b39cbd0279f72d7aea1de059cca14b13f0.jpg"
	}
}