{
	"id": "aff273a5-5d06-46f2-a035-c17dc2714976",
	"created_at": "2026-04-06T00:16:47.143355Z",
	"updated_at": "2026-04-10T03:21:28.760458Z",
	"deleted_at": null,
	"sha1_hash": "7c7ca9fdbb780fa2670235e1cbd10eb304daa8d4",
	"title": "BackDoor.Gootkit.112—a new multi-purpose backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 719321,
	"plain_text": "BackDoor.Gootkit.112—a new multi-purpose backdoor\r\nPublished: 2014-04-09 · Archived: 2026-04-02 12:03:55 UTC\r\n09.04.2014\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nApril 9, 2014\r\nComplex multi-component Trojans with backdoor features, i.e., those capable of executing a remote\r\nserver’s commands on an infected computer, are rarities in the wild. Doctor Web's analysts recently\r\nexamined one such program that has been named BackDoor.Gootkit.112. This review provides information\r\nabout this malicious program’s design and operation.\r\nApparently, the module responsible for installing the backdoor into the system and for its bootkit features was\r\nborrowed by BackDoor.Gootkit.112’s developers from the Trojan.Mayachok family of programs. However, the\r\nvirus writers introduced a number of significant changes into the source code. The original Trojan.Mayachok\r\ngenerated a unique VBR code which was used to create another build of the malware. In the case of\r\nBackDoor.Gootkit.112, all the functions have been grouped in the dropper, which alters the Volume Boot Record\r\n(VBR) code during the infection process. The driver, to which control is transferred by the VBR code prior to\r\nsystem initialisation, was also taken from the Trojan.Mayachok source code, but the code was partially rewritten,\r\nso most of the pointers (the shell-code to perform injections, and various tables) have been changed for reasons\r\nunknown. However, some pointers remained intact. In particular, one of them refers to the Homer Simpson\r\nquotation \"Just pick a dead end and chill out till you die\", which is output in the debugger after the loader's\r\ninitialisation. It is noteworthy that similar strings (mostly Homer Simpson quotations) were displayed in the\r\ndebugger by TDSS Trojans (starting with BackDoor.Tdss.565 (TDL3) and older versions). The name Gootkit can\r\nbe found in both the loader and the payload module code.\r\nIn addition, all the driver components responsible for its interaction with other components operating in the user\r\nmode were also removed—in particular, the driver that enables them to use VFS. However,\r\nBackDoor.Gootkit.112 has features responsible for VFS initialisation and protection.\r\nInformation about the payload module BackDoor.Gootkit.112 is stored in the Windows registry branch\r\nHKLMSOFTWARECXSW as binaryImage32 or binaryImage64, depending on the OS platform (32- or 64-bit).\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 1 of 6\n\nTo retrieve the payload, BackDoor.Gootkit.112 injects special shell code into the processes SERVICES.EXE,\r\nEXPLORER.EXE, IEXPLORE.EXE, FIREFOX.EXE, OPERA.EXE, and CHROME.EXE. Very few malicious\r\nprograms inject their code by creating a new user mode thread involving CSRSS.EXE.\r\nThe main objective of the injected shell code is to download the payload module from the system registry or from\r\na remote server on the Internet. Payload binary files are compressed and encrypted.\r\nTo bypass the UAC and elevate its privileges in an infected system, BackDoor.Gootkit.112 employs a shim\r\n(Microsoft Windows Application Compatibility Infrastructure). The Trojan employs the SQL Server Client\r\nNetwork Utility (cliconfg.exe) whose manifest file has the attribute AutoElevate set to true, so Windows elevates\r\nthe privileges of such applications without involving the UAC.\r\nBackDoor.Gootkit.112 uses the file apphelp.dll to create a fix database. The Trojan generates the database’s name\r\nand the value of the Application parameter randomly. To load the Trojan code, it uses the routine RedirectEXE,\r\nwhich lets one executable be run instead of another one. BackDoor.Gootkit.112 uses RedirectEXE parameters to\r\nspecify the path to its executable and a link to the created database.\r\nAfter that, the fix database (shim) is installed in the system by means of sdbinst.exe whose manifest also has the\r\nparameter AutoElevate set to true, so it runs on Windows with special privileges. Overall, the UAC bypass scheme\r\nlooks as follows:\r\n1. The Trojan creates and installs a new fix database (shim);\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 2 of 6\n\n2. It then launches cliconfg.exe with elevated privileges;\r\n3. The shim unloads the original process and uses RedirectEXE to launch the Trojan.\r\nBackDoor.Gootkit.112's payload is implemented in a large, five megabyte executable written in C++. Most of\r\nthis file is a JavaScript interpreter known as Node.JS. The executable file contains more than 70 pieces of\r\nJavaScript code. A significant portion of them constitutes the Node.JS core which provides an easily accessible\r\ninterface to work with native objects. Some scripts incorporate the Trojan's payload: they enable the backdoor to\r\nexecute commands from a remote server and download additional modules stored in the Windows registry,\r\nsimilarly to the main module of BackDoor.Gootkit.112. The Trojan can execute the following commands:\r\nIntercept http traffic;\r\nInject code into other processes;\r\nBlock specific URLs;\r\nTake screenshots;\r\nAcquire the list of running processes;\r\nAcquire the list of local users and groups;\r\nEnd specified processes;\r\nExecute shell commands;\r\nLaunch executables;\r\nAuto update.\r\nand some other.\r\nAs mentioned above, the program uses a rare method for injecting code into running processes. A similar\r\nalgorithm was described on the forum wasm.ru by a user with the alias Great:\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 3 of 6\n\nHis description contained exit statuses which were similar to those found in the disassembled code of\r\nBackDoor.Gootkit.112:\r\nOne would assume that the virus writer simply borrowed code from the public source, but the code posted on the\r\nforum also described the object called DRIVER_TO_SHELLCODE_PARAMETERS. An object with the same\r\nname was also discovered in a personal blog of another user who provided a detailed description of the injection\r\nmethod and claimed that he developed it in cooperation with Ilya Great:\r\nThe blogger also expressed his great interest in Node.JS whose features are used extensively in the Trojan's code.\r\nMoreover, the person also published a post entitled \"NoteJS\\C++: Native extension for the Registry\" in which he\r\ndescribed a method for working with the Windows registry branch SOFTWARE\\CXS:\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 4 of 6\n\nAnother post of his, entitled \"NodeJS: Spyware in Javascript?\", contains a reference to SpywareModule whose\r\nmethods incorporate the prefix 'Sp'.\r\nBackDoor.Gootkit.112 incorporates similar code.\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 5 of 6\n\nIn this regard, one can make assumptions regarding the actual person behind the backdoor with a high degree of\r\ncertainty.\r\nBackDoor.Gootkit.112’s signature has been added to the Dr.Web virus database, and, therefore, the Trojan poses\r\nno threat to computers protected with Dr.Web.\r\nSource: https://news.drweb.com/show/?i=4338\u0026lng=en\r\nhttps://news.drweb.com/show/?i=4338\u0026lng=en\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://news.drweb.com/show/?i=4338\u0026lng=en"
	],
	"report_names": [
		"?i=4338\u0026lng=en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c7ca9fdbb780fa2670235e1cbd10eb304daa8d4.pdf",
		"text": "https://archive.orkl.eu/7c7ca9fdbb780fa2670235e1cbd10eb304daa8d4.txt",
		"img": "https://archive.orkl.eu/7c7ca9fdbb780fa2670235e1cbd10eb304daa8d4.jpg"
	}
}