Rivarts.A Backdoor, Kav didn't detect it Options

[Rilla927]

Hi guys,

I got up this morning and MSAS showed one infection of a Rivarts.A Backdoor. I can't find doodle for info. Here is a screen shot of all the different files the Trojan has. Don't worry, nothing is live. Has anyone seen this before?

Attached File(s)

 Trojan.png ( 35.03K ) Number of downloads: 743

 

[SSK]

http://www.esafe.com/home/csrt/valerts2.asp?virus_no=22426

http://secunia.com/virus_information/22301/rivarts.a/

http://www.viruslist.com/en/viruses/encycl...a?virusid=95845

http://www.pandasoftware.com/virus_info/en...us=92688&sind=0

Here you go. A little search on Google...

[-=Phantom=-]

This .sys file is hidden located at Windows/System32/Drivers installed with CureRom (hide virtual drives to bypass copy protections such as Safedisc 4.x and Securom 7.x) for example. The author claims that he didn't know about this file It inject code into other processes. Some Malware use this file too so that is why MSAS detect it. mchInjDrv.sys alone isn't dangerous I think.

[Rilla927]

This .sys file is hidden located at Windows/System32/Drivers installed with CureRom (hide virtual drives to bypass copy protections such as Safedisc 4.x and Securom 7.x)  for example. The author claims that he didn't know about this file    It inject code into other processes.  Some Malware use this file too so that is why MSAS detect it. mchInjDrv.sys alone isn't dangerous I think.

I d/l a program called DVD Cloner 3 last night. This must belong to this program. Is this the real thing or nothing to worry about because it belongs to DVD Cloner. What do you guys think?

[Rilla927]

http://www.esafe.com/home/csrt/valerts2.asp?virus_no=22426

http://secunia.com/virus_information/22301/rivarts.a/

http://www.viruslist.com/en/viruses/encycl...a?virusid=95845

http://www.pandasoftware.com/virus_info/en...us=92688&sind=0

Here you go. A little search on Google...

Thanks SSK, I don't know why I couldn't find anything. I used google.

[SSK]

Send the program to Kaspersky Analysts for analysis.

[Rilla927]

Send the program to Kaspersky Analysts for analysis.

I would but I MSAS removed it

[Glenn]

Hi guys,

I got up this morning and MSAS showed one infection of a Rivarts.A Backdoor. I can't find doodle for info. Here is a screen shot of all the different files the Trojan has. Don't worry, nothing is live. Has anyone seen this before?

Hello all,
Just as above, I found my MSAS had found this Riverts.A backdoor.
Google brought me here to find out more about it.
MSAS runs automatically at 2.00am and 2.00pm daily so I know it wasn't there
until the 2.00pm run.
I'm pretty cautious so now wondering how it got in past my AV etc,
Does anyone know yet please?

Glenn

[-=Phantom=-]

Did you read what I wrote ?

[Human]

Thanks ALL of YOU for Your helpful info on this ' Rivarts.A Backdoor'

I've of course read post by -=Phantom=- and all the 4 links in post by SSK ...
but I could not find - ( or figure-it out ) the way to make sure
I don't have this on my computer.

I think according to post by -=Phantom=- I could check manually my computer
if this ' Rivarts.A Backdoor' is there.

Please give me suggestion how to do that - if is possible to check it manually, ...
or my KAV Personal Suite 5.0.385 + AH would detected long time ago
if it is indeed on my computer.

Thanks , .....

[Rilla927]

Well at least I know how I got the Rivarts.A Backdoor. It did indeed come in the DVD Cloner 3 program I d/l. I uninstalled the program and then reinstalled it again so I could do a scan and see what I come up with and sure enough it was detected again by MSAS.

I don't know if it was a FP by MSAS or if it was actually a nasty in the program. After I uninstalled it I scanned with all my scanners and it was ok.

Rilla927

[Human]

Well at least I know how I got the Rivarts.A Backdoor. It did indeed come in the DVD Cloner 3 program I d/l. I uninstalled the program and then reinstalled it again so I could do a scan and see what I come up with and sure enough it was detected again by MSAS.

I don't know if it was a FP by MSAS or if it was actually a nasty in the program. After I uninstalled it I scanned with all my scanners and it was ok.

Rilla927

Hi, -
Rilla927
if you don't mind me asking a question.
I understand you do have a Kaspersky Anti Virus program -- do you ?
And if you do - how is that possible that it was not detected ?

I'm asking same question as Glenn is: .....

'' I'm pretty cautious so now wondering how it got in past my AV etc, ''


Thanks , .......

[-=Phantom=-]

Because like I said mchInjDrv.sys alone is harmless (the same for Windows/System32 madCHook.dll which can be also present. ) So it isn't a good idea from MSAS to detect it as a backdoor. Rivarts A maybe use mchInjDrv.sys thats why, but mchInjDrv.sys is also used by harmless programs. BTW MSAS only detects the registry entries not the file itself which is like I said hidden at Windows/System32/Drivers seems to use some rootkit like techniques to hide ?!? It is developed by http://www.madshi.net mchInjDrv = MadCodeHook look here. Because of the fact that it can be used by dangerous programs too maybe KAV should detect it as riskware.

My english isn't the best, I hope you understand what I wanted to say.

@Human, Glenn,Rilla297

For a real infection with Rivarts-A there must be more files than mchInjDrv.sys . Look at the Links SSK had posted. For example here under the topic Infection Strategy. Have you have those files ?? ZSYS.exe for example or the startup registry key. I don't think so

[Human]

-=Phantom=-

Thanks for your explanations

''My english isn't the best, I hope you understand what I wanted to say. ''

no problem, I understood every thing you wrote, Thanks:)

I've read again / this time more carefully / text in Infection Strategy,

and i don't remember how to check in registry for this entry,
year ago i was reading instructions somewhere how to use the: Start / Run --
but now i don't remember
and after entering in Run: sysdir -- i get no ''action'' from my computer

Could you please tell me how to manually look for this ''entry''

Thanks, ....

[-=Phantom=-]

Hi Human,

Start -> Run than type regedit press Enter. Navigate to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Or simpler you can type msconfig press Enter and choose SystemStart on the top right.

[Human]

Hi Human,

Start -> Run than type regedit press Enter. Navigate to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Or simpler you can type msconfig press Enter and choose SystemStart on the top right.

Thanks -=Phantom=-

"regedit" -- that was what i did not remember -- thanks !

i did look there / in Windows -in CurrentVersion -in Run / and there is no such entry as mchInjDrv.sys
Rivarts.A . Zsys = %sysdir%\ zsys.exe where %sysdir% is the Windows system directory.

In 'Run' i have only = 'OpticalComponents' and in it is = IMAIL , MAPI , MSFS

there are 4 more
1]. Run Once , 2]. Run Once Ex 3]. Run Services , 4]. Run ServicesOnce

but i see nothing as describe that 'entry' is mchInjDrv.sys

so looks that is not on my computer.

But since you [and others] said that this is not necessary ''bad''
and '' mchInjDrv.sys is also used by harmless programs. ''
so in that case i have no big worry about it and i'm very happy with my KAV protection.

Thanks again, ...for your kind help
Cheeeeers, .......

[Don Pelotas]

MadCodeHook actually used to be detected as Riskware "not-a-virus:Tool.Win32.Madtol.c", but it may have been removed. Look in this thread for more info:http://forum.kaspersky.com/index.php?showt...&hl=madcodehook.

One thing to be clear about is that MadCodeHook is used (or have been) in many legitimate programs, some of them are Spy Sweeper & A2 trojan scanner (& Trojan Hunter too i believe).

[sethg]

Not to acuse Microsoft of anything without proof, but it is possible that they allowed this false positive to remain in MSAS because it is part of a known CD/DVD cloning package. MS is very big on Digital Rights Management, so they have some motivation to remove any program that violates that, as long as they have an excuse that it could be malware.

[Human]

Thanks Don and sethg for extra info / clarification

Cheeeers, ....