Draft:WinROOT

Submission declined on 29 May 2025 by Scaledish (talk). This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are: in-depth (not just passing mentions about the subject) reliable secondary independent of the subject Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Scaledish 5 days ago. Last edited by Scaledish 5 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

• Comment: WP:NSOFT. Current citations are just notices or presumably non-WP:RS. Scaledish! Talkish? Statish. 14:08, 29 May 2025 (UTC)

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (May 2025) (Learn how and when to remove this message) This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic. Please help improve it by rewriting it in an encyclopedic style. (May 2025) (Learn how and when to remove this message) (Learn how and when to remove this message)

WinROOT

Server control window in WinROOT 1.40 by dem0nseed of The DMF Crew
Developer(s)	Matthew R. Walsh (alias: dem0nseed of DMF Crew)
Stable release	1.43 / 2001
Operating system	Microsoft Windows (95/98)
Type	Remote administration
License	Freeware / Underground distribution

WinROOT is a remote administration and backdoor program developed in the early 2000s for Microsoft Windows systems. Written in Visual Basic 6 by Matthew R. Walsh, using the alias dem0nseed of The DMF Crew, the tool gained widespread popularity in underground hacker forums as a stealthy successor to NetBus and Back Orifice.

Initially developed when the author was just 14 years old, WinROOT became one of the most distributed underground administration tools of its time. It was posted on notable exploit and warez hubs such as mc2.nu, altavista.box.sk, hack.box.sk, and discussed on message boards affiliated with the Phone Losers of America (PLA). The program was later flagged and classified as malware by major security vendors, including Microsoft, McAfee, Sophos, and Symantec.

WinROOT used a client–server architecture. The server executable, once deployed to a victim's machine, ran silently as a background process and listened on TCP port 8723. It modified the Windows registry to auto-start with each system reboot and allowed optional password protection.

The client application featured a GUI resembling a hybrid of Windows Explorer and featured a custom DOS-style terminal that took program commands as well as relay DOS shell commands by redirecting stdin/stdout through P-Invoke, giving a high degree of control over the infected system.

• Shut down, restart, lock workstation
• Retrieve system and user info
• Keystroke injection
• Run programs or MS-DOS commands
• Disable Ctrl+Alt+Del
• Browse file system
• Upload/download files

• Real-time chat with remote user
• AOL Instant Messenger spoofing
• Join/modify chatroom presence
• Send arbitrary text to active window
• Open URLs or launch scripts

• Password-protect host access
• Hidden operation mode
• Built-in password bypass utility (reset server password to "admin")

WinROOT was designed for use on:

• Windows 95
• Windows 98
• Windows 2000
• Windows ME
• Windows XP

WinROOT became widely distributed in the early 2000s as NetBus and Back Orifice were increasingly blacklisted by antivirus software. Due to its smaller footprint, customizable features, and active underground support, it was seen as a stealthier, more flexible alternative.

It was eventually detected in about 2005 and classified as malware by major vendors:

• MegaSecurity – WinROOT 1.43
• Microsoft Malware Encyclopedia – Backdoor:Win32/Winroot
• Sophos Threat Center – Win32/Winroot-A
• McAfee AVERT Labs (archived threat database)
• Symantec/Norton Antivirus definitions (historical RAT database)

WinROOT is regarded as a notable tool in the lineage of early remote administration and trojan software for Windows. Released during a period when other tools such as NetBus and Back Orifice were being increasingly blocked by antivirus software, WinROOT gained traction due to its relatively small footprint, modular architecture, and initially lower detection rate.^[1]

Its inclusion in multiple malware encyclopedias—including those maintained by Microsoft,^[2] Sophos,^[3] and others—solidified its recognition within both underground forums and mainstream security circles.

The program’s developer, using the handle dem0nseed of The DMF Crew, was also credited with developing related tools, including crax0r, a programmable exploit launcher distributed on the same platforms.^[4] These tools circulated widely on archive sites such as mc2.nu and box.sk, now defunct but influential in distributing early Windows-based remote control software.

A personal anecdote from the developer, posted to the Phone Losers of America forum in 2007, reflects the hands-on, exploratory mindset of the time:

"I dusted off and tried my redbox outside of a Circle K gas station in southwest Florida and it dumped out 75 cents. I was so excited that I ran away and didn't even try to make a call :)" — PhoneLosers.com, August 17, 2007

WinROOT remains a historically relevant example of early 2000s underground software engineering, representing the blurred line between prank-oriented utilities and unauthorized remote control software.

• NetBus
• Back Orifice
• Remote administration software
• Trojan horse (computing)

• MegaSecurity page on WinROOT
• Microsoft Security Encyclopedia – WinROOT
• Sophos Threat Analysis – WinROOT