Win32/Rootkit.Avatar
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 10,045 |
Threat Level: | 10 % (Normal) |
Infected Computers: | 2,510 |
First Seen: | May 8, 2013 |
Last Seen: | February 11, 2025 |
OS(es) Affected: | Windows |
Win32/Rootkit.Avatar is a rootkit, which uses a driver infection method twice: the first in the dropper so as to evade detections by HIPS, and the second in the rootkit driver to remain after computer restart. The infection method is prevented in its ability (by code signing policy for kernel-mode modules) and Win32/Rootkit.Avatar functions only on x86 systems. Win32/Rootkit.Avatar driver is not stored on the hard drive and will load with the same code used in the technique for MS11-080 exploitation to execute the driver. This technique to load Win32/Rootkit.Avatar driver by system driver infection is effective to evade security applications, and loads other kernel-mode modules from a 'trusted' (but damaging) system driver. Win32/Rootkit.Avatar does not store its files in the standard file system and its method for driver infection makes it more complicated for usual forensic approaches to be used for successful incident investigation. Win32/Rootkit.Avatar also has other means to restore botnet control if the command center is taken down or C&C is disrupted for other reasons.
URLs
Win32/Rootkit.Avatar may call the following URLs:
myshopsearch.com |