Win32/Rootkit.Avatar [Threat Name] go to Threat
Win32/Rootkit.Avatar [Threat Variant Name]
| Category | trojan |
| Size | 129536 B |
Short description
Win32/Rootkit.Avatar is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.
Installation
The trojan does not create any copies of itself.
Executable file infection
Win32/Rootkit.Avatar can infect executable files.
The trojan searches for files with the following file extensions:
- .sys
It infects files stored in the following folders:
- %windir%\system32\drivers\
The trojan then removes itself from the computer.
Other information
Win32/Rootkit.Avatar is a trojan that receives data and instructions for its operation from the Internet or a remote computer in a botnet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
To gain administrator access rights it attempts to exploit one of the following vulnerabilities:
- MS11-080 (http://technet.microsoft.com/en-us/security/bulletin/ms11-080)
The trojan may load and inject the avcmd.dll library into the following processes:
- svchost.exe
The trojan modifies the program code of the following Windows APIs:
- MiProtectVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
- MmCopyVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
- NtQueryVirtualMemory (ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe)
The trojan quits immediately if any of the following applications is detected:
- VMware Workstation