Win32/Rootkit.Avatar [Threat Name] go to Threat

Win32/Rootkit.Avatar [Threat Variant Name]

Category trojan
Size 129536 B
Detection created Apr 11, 2013
Detection database version 8218
Short description

Win32/Rootkit.Avatar is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.

Installation

The trojan does not create any copies of itself.

Executable file infection

Win32/Rootkit.Avatar can infect executable files.


The trojan searches for files with the following file extensions:

  • .sys

It infects files stored in the following folders:

  • %windir%\­system32\­drivers\­

The trojan then removes itself from the computer.

Other information

Win32/Rootkit.Avatar is a trojan that receives data and instructions for its operation from the Internet or a remote computer in a botnet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

To gain administrator access rights it attempts to exploit one of the following vulnerabilities:

  • MS11-080 (http://technet.microsoft.com/en-us/security/bulletin/ms11-080)

The trojan may load and inject the avcmd.dll library into the following processes:

  • svchost.exe

The trojan modifies the program code of the following Windows APIs:

  • MiProtectVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • MmCopyVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
  • NtQueryVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)

The trojan quits immediately if any of the following applications is detected:

  • VMware Workstation

Please enable Javascript to ensure correct displaying of this content and refresh this page.