Win32/Rootkit.Avatar is a rootkit, which uses a driver infection method twice: the first in the dropper so as to evade detections by HIPS, and the second in the rootkit driver to remain after computer restart. The infection method is prevented in its ability (by code signing policy for kernel-mode modules) and Win32/Rootkit.Avatar functions only on x86 systems. Win32/Rootkit.Avatar driver is not stored on the hard drive and will load with the same code used in the technique for MS11-080 exploitation to execute the driver. This technique to load Win32/Rootkit.Avatar driver by system driver infection is effective to evade security applications, and loads other kernel-mode modules from a 'trusted' (but damaging) system driver. Win32/Rootkit.Avatar does not store its files in the standard file system and its method for driver infection makes it more complicated for usual forensic approaches to be used for successful incident investigation. Win32/Rootkit.Avatar also has other means to restore botnet control if the command center is taken down or C&C is disrupted for other reasons.