We have seen variants in the Rovnix family installed by:
Once installed Virus:DOS/Rovnix variants modify the New Technology File System (NTFS) boot sectors.
Other variants such as VirTool:WinNT/Rovnix.A can store other malicious components at the end of the disk, which are then loaded at booting time.
Downloads other malware
We have seen the Rovnix family installing the following malware:
Some Rovnix variants try to tamper with some Windows kernel data to load their own malicious driver. This might bypass the Driver Signature Enforcement on a 64-bit system.
To protect itself, the loaded driver intercepts the hard disk input/output (I/O) operation, and prevents the Volume Boot Record from being modified.
We have also seen some Rovnix variants using a private TCP/IP stack to hide network traffic.
Analysis by Chun Feng
Alerts from your security software may be the only symptom.