Win32/Rootkit.Avatar Description

Win32/Rootkit.Avatar is a rootkit, which uses a driver infection method twice: the first in the dropper so as to evade detections by HIPS, and the second in the rootkit driver to remain after computer restart. The infection method is prevented in its ability (by code signing policy for kernel-mode modules) and Win32/Rootkit.Avatar functions only on x86 systems. Win32/Rootkit.Avatar driver is not stored on the hard drive and will load with the same code used in the technique for MS11-080 exploitation to execute the driver. This technique to load Win32/Rootkit.Avatar driver by system driver infection is effective to evade security applications, and loads other kernel-mode modules from a 'trusted' (but damaging) system driver. Win32/Rootkit.Avatar does not store its files in the standard file system and its method for driver infection makes it more complicated for usual forensic approaches to be used for successful incident investigation. Win32/Rootkit.Avatar also has other means to restore botnet control if the command center is taken down or C&C is disrupted for other reasons.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.