Follow:

 

TrojanDropper:Win32/Rovnix.I


Microsoft security software detects and removes this threat.

This trojan makes changes to your PC so that it downloads and runs other malware each time it starts.



What to do now

The following free Microsoft software detects and removes this threat:

However, in some cases you may need to use the free tool Windows Defender Offline to fully clean your PC:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then presss Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior

Installation

TrojanDropper:Win32/Rovnix.I writes malicious code to certain disk sectors of the local hard drive.

It modifies the NewTechnologyFileSystem (NTFS) boot sector (detected as Trojan:DOS/Ronvix.F) to execute the written code. The machine will be rebooted after a successful installation.

Payload

Installs other malware

Each time your computer starts the modified NTFS boot sector will attempt to load the malicious code written by TrojanDropper:Win32/Rovnix.I.

The trojan injects code into explorer.exe to download other malware by contacting the domain youtubeflashserver.com.

Analysis by Chun Feng


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.153.1777.0
Latest detected by definition: 1.183.1360.0 and higher
First detected on: Jul 11, 2013
This entry was first published on: Jul 11, 2013
This entry was updated on: Feb 17, 2014

This threat is also detected as:
  • Trojan.Win32.Cidox.agjl (Kaspersky)
  • win32:winpe/Kryptik.CBZS (Norman)
  • Trojan horse Generic33.BODU (AVG)
  • Trojan.GenericKDZ.22861 (BitDefender)
  • Win32/Rovnix.F (ESET)
  • W32/Injector.AIRR (Fortinet)
  • Trojan.Win32.Cidox.agjl (Kaspersky)
  • PWS-Zbot-FAXY!DAA1F0584D51 (McAfee)