Win32/Gootkit [Threat Name] go to Threat

Win32/Gootkit.V [Threat Variant Name]

Category trojan
Size 212584 B
Aliases Trojan-Spy.Win32.Zbot.bgxc (Kaspersky)
  Trojan.ADH (Symantec)
  TrojanDropper:Win32/Otlard.B (Microsoft)
Short description

Win32/Gootkit.V installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­KGootkit.sys (Win32/Gootkit.V, 96768 B)

The trojan registers itself as a system service using the following name:

  • KGootkit

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­KGootkit]
    • "DisplayName" =  "KGootkit"
    • "ImagePath" = "%system%\­drivers\­KGootkit.sys"
    • "Type"= 1
    • "Start" = 1

This causes the trojan to be executed on every system start.


The trojan creates and runs a new thread with its own program code in all running processes.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • update itself to a newer version
  • steal information from the Windows clipboard
  • send files to a remote computer
  • open a specific URL address
  • various filesystem operations
  • run executable files
  • download files from a remote computer and/or the Internet
  • capture screenshots
  • terminate running processes
  • create folders
  • create files
  • delete folders
  • delete cookies
  • create Registry entries
  • delete Registry entries
  • set up a proxy server
  • stop itself for a certain time period
  • log keystrokes
  • send spam
  • send gathered information

The following information is collected:

  • computer IP address
  • user name
  • CPU information
  • operating system version
  • Internet Explorer version
  • Registry entries
  • list of running processes

The trojan hooks the following Windows APIs:

  • connect (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM]
    • "injectionList" = "%variable%"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.