Follow:

 

TrojanDropper:Win32/Rovnix.A


TrojanDropper:Win32/Rovnix.A is a trojan that modifies the New Technology File System (NTFS) boot sector of the hard drive to execute other malware. The trojan also installs a component, detected as Trojan:Win32/Rovnix.A, to restart the computer so the modified NTFS boot sector will execute.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then presss Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

TrojanDropper:Win32/Rovnix.A is a trojan that modifies the New Technology File System (NTFS) boot sector of the hard drive to execute other malware. The trojan also installs a component, detected as Trojan:Win32/Rovnix.A, to restart the computer so the modified NTFS boot sector will execute.

Installation

When run, TrojanDropper:Win32/Rovnix.A writes malicious code to certain disk sectors of the local hard drive. It also modifies the NTFS boot sector to execute the written code. On 32-bit Windows computers, the malicious code is detected as VirTool:WinNT/Rovnix.A while on 64-bit computers the code is detected as VirTool:Win64/Rovnix.A.

Payload

Installs other malware

TrojanDropper:Win32/Rovnix.A installs a component, detected as Trojan:Win32/Rovnix.A, that restarts the computer. During the boot process of the affected computer, the modified NTFS boot sector will attempt to load the malicious code written by TrojanDropper:Win32/Rovnix.A.

Analysis by Chun Feng


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

 

Prevention


Alert level: Severe
First detected by definition: 1.111.2331.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Sep 15, 2011
This entry was first published on: Sep 15, 2011
This entry was updated on: May 30, 2014

This threat is also detected as:
  • TrojanDropper:Win32/Lageliz.B (other)
  • Win32/PSW.Papras.BZ trojan (ESET)
  • Trojan.Win32.Agent.nkwx (Kaspersky)
  • Trojan.Cidox (Symantec)
  • TROJ_VUNDO.SMC (Trend Micro)