Microsoft security software detects and removes this family of threats.

This malware family can download other threats onto your PC, such as Win32/Carberp and Win32/Vundo.

They can be installed on your PC by exploits, or other malware, such as Win32/Upatre.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

Some variants of this threat make lasting changes to your PC. To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community. If you’re using Windows XP, see our Windows XP end of support page.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then press Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior


We have seen variants in the Rovnix family installed by:

Once installed Virus:DOS/Rovnix variants modify the New Technology File System (NTFS) boot sectors.

Other variants such as VirTool:WinNT/Rovnix.A can store other malicious components at the end of the disk, which are then loaded at booting time.


Downloads other malware

We have seen the Rovnix family installing the following malware:

Additional information

Some Rovnix variants try to tamper with some Windows kernel data to load their own malicious driver. This might bypass the Driver Signature Enforcement on a 64-bit system.

To protect itself, the loaded driver intercepts the hard disk input/output (I/O) operation, and prevents the Volume Boot Record from being modified.

We have also seen some Rovnix variants using a private TCP/IP stack to hide network traffic.

Analysis by Chun Feng


Alerts from your security software may be the only symptom.



Alert level: Severe
This entry was first published on: May 30, 2014
This entry was updated on: Jun 03, 2015

This threat is also detected as:
No known aliases