Home Malware Programs Rootkits Avatar Rootkit

Avatar Rootkit

Posted: May 2, 2013

While Avatar is armed with full compatibility for x86 PCs, separate infection methods for admin and non-admin accounts, multiple Trojan droppers for handling its installation and compatibility with Yahoo social networking Groups for backup C&C servers, the Avatar rootkit may install other malware, disable important security features or steal personal information. Since some components of the Avatar rootkit are memory-resident PC threats that aren't stored on your hard drive, SpywareRemove.com malware researchers recommend using only high-quality and updated anti-malware applications to detect an Avatar rootkit infection and remove the Avatar rootkit from your PC.

The Avatar Rootkit: an Avatar of Insecurity with No Software in Sight

The Avatar rootkit is sold on criminal-frequented forums as a kit to be rented for the purpose of infecting computers with whatever payloads the renting criminals prefer to use. Given the commercial nature of the Avatar rootkit's development, other PC threats associated with an Avatar rootkit infection can range the full gamut from banking Trojans and spyware to Police ransomware Trojans or even fake anti-virus scanners. SpywareRemove.com malware experts especially warn against the infection methods that are used by the Avatar rootkit, which use several advanced techniques for avoiding security features:

  • The first PC threat related to the Avatar rootkit is a Trojan dropper, which contains variable details (such as its preferred C&C server and the names of its mutex objects). This Trojan dropper evades HIPS-based security features and installs a second Trojan dropper that persists after a system restart.
  • The kernel-mode module limitations in the Avatar rootkit's second Trojan dropper limit Avatar to infecting x86 PCs, but vulnerable x86 computers are infected with the Avatar rootkit through a driver injection attack. This second Trojan dropper also tries to avoid installing the Avatar rootkit on virtual or sandboxed systems, which SpywareRemove.com malware researchers have found to be a common anti-analysis technique.
  • The method of infection with the Avatar rootkit can differ based on your computer's admin setup. If the second Trojan dropper has admin privileges, Avatar will infect and load a system driver directly. Otherwise, Avatar uses a UAC exploit to accomplish the same thing on systems that don't have admin access. Either way, from this time forward, your PC will load the Avatar rootkit automatically whenever it starts.

Unlike most kinds of malware, the Avatar rootkit doesn't install any visible components onto your computer in terms of files or programs. Instead, the Avatar rootkit uses a hidden file storage system for all components other than the infected driver, and SpywareRemove.com malware researchers warn that trying to detect the Avatar rootkit by your eyes alone is likely to be a futile task.

What the Avatar Rootkit Boils Down to for Your Computer

When stripped of all its technical defenses, the Avatar rootkit just is an unusually sophisticated example of a common rootkit with backdoor Trojan functions. The Avatar rootkit can communicate between various components, receive instructions from a Command & Control server, install other malware (that are placed in its hidden file system), gather basic system information for hostile purposes and encrypt all of its communications for a minimum of detectability. While many of these functions are quite standard, SpywareRemove.com malware experts, nonetheless, consider the Avatar rootkit to be a high-level PC threat that endangers your computer's privacy and security in almost every way possible.

Removing the Avatar rootkit entirely first necessitates that you disable the Avatar rootkit-infected driver or boot an uninfected OS (for instance, by loading a flash drive-based emergency OS) beforehand. As long as the Avatar rootkit is open and active, trying to remove the Avatar rootkit, even with otherwise well-equipped anti-malware programs, is certain to fail either wholly or partially. Naturally, SpywareRemove.com malware researchers also advise that you use nothing less than the best anti-malware applications you can acquire for removing the Avatar rootkit and any other malware that may be linked to the Avatar rootkit.