1. /
  2. Security Response/
  3. Hacktool.Rootkit


Risk Level 1: Very Low

September 27, 2001
April 19, 2010 4:26:18 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Hacktool.Rootkit is a detection name used by Symantec to identify malicious software programs that allows attackers to break into a system and hide the attack from the users.

Hacktool.Rootkit may include a back door allowing a remote attacker to access the compromised computer. They can be made up of a variety of programs and scripts that gain root access on a system and attempt to hide evidence of the intrusion.

There are two main types of rootkits:

User-mode rootkits:
User-mode rootkits manipulate processes, services, and applications by targeting system calls sent from applications run by a user.

Kernel-mode rootkits:
The kernel-mode rootkit is more sophisticated since it takes control of the operating system by hooking and manipulating system calls and APIs at a lower level.

Once installed, a rootkit may perform any of the following actions on the compromised computer:
  • Avoid Detection
  • Hide files and folders
  • Hide malicious code
  • Hide network connections
  • Hide system processes
  • Log keystrokes
  • Modify systems
  • Open a back door

If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

  • Initial Rapid Release version September 27, 2001
  • Latest Rapid Release version May 2, 2015 revision 019
  • Initial Daily Certified version September 27, 2001 revision 007
  • Latest Daily Certified version May 3, 2015 revision 004
  • Initial Weekly Certified release date September 27, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment


  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 3 - 9
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate


  • Damage Level: Medium
  • Payload: Hides system changes and activities and may allow for remote access.


  • Distribution Level: Low
Note: On May 14, 2015, modifications will be made to the threat write-ups to streamline the content. The Threat Assessment section will no longer be published as this section is no longer relevant to today's threat landscape. The Risk Level will continue to be the main threat risk assessment indicator.
Writeup By: Angela Thigpen

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report