Win32/Aibolit [Threat Name] go to Threat

Win32/Aibolit.AA [Threat Variant Name]

Category trojan
Size 483840 B
Aliases Backdoor.Win32.Delf.aruw (Kaspersky)
  Backdoor.Trojan (Symantec)
  BACKDOOR.Trojan (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %sysdir%\­avpmon.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Services" = %sysdir%\­avpmon.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet. The TCP protocol is used in the communication.

It may perform the following actions:

  • run executable files
  • log off the current user
  • manipulate application windows
  • open the CD/DVD drive
  • show fake alerts
  • turn the display off
  • shut down/restart the computer
  • swap mouse buttons
  • block keyboard and mouse input
  • open ports

The trojan may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.