Rivarts.A Backdoor

Discussion in 'malware problems & news' started by Yellow Trucker, Mar 24, 2006.

Thread Status:
Not open for further replies.
  1. Yellow Trucker

    Yellow Trucker Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    2
    Microsoft antivirus found this during it's usual 3 am scan. How does this find it's way into my computer? Thinking I had it immune to this crap after the
    Spyware.Apropos.C episode. Which I disposed of thanks to this forum.
     
  2. rkarrow

    rkarrow Registered Member

    Joined:
    Mar 25, 2006
    Posts:
    1
    Microsoft Defender Beta 2 also found Rivarts.A on my computer. Prior to runing Defender I ran a full scan with Ewido with no mention of Rivarts.A What is happening with Ewidoo_O?
     
  3. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Could also be a FP that Microsoft is giving?

    Thanks,

    Chris
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I think someone still has some questions :D Thanx Marianna
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    so it is a nasty one after all .. I swear I had it once and none of my programs were detecting it .. strange ..
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Marianna, I'm looking for any relation concerning mchInjDrv.sys
    and non-malicious programs atm .. I cannot find anything :(
     
  10. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    do you have....... a program called DVD Cloner ? It is mentioned here:

    Kasperski forum
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    No, Never used it actualy, .. I started with a complete setup one week ago .. I don't have it anymore now apparently so that's good news .. but still because it is a sys file .. so you see, formatting can be good once in a while :D
     
  12. GLaverneFlambeau

    GLaverneFlambeau Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    2
    I got the Rivarts.A alert during last night's regular scan with MSAS.
    I'm hoping that this is a false positive.
    The only change I made to the system yesterday that I remember was swap out a bad motherboard and re-Activate Windows.


    Rivarts.A Backdoor more information...
    Status: Quarantined
    Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0 Root\LEGACY_MCHINJDRV\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum Count 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum NextInstance 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ErrorControl 0
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ImagePath \??\C:\WINDOWS\TEMP\mc22.tmp
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv DeleteFlag 1
     
  13. GLaverneFlambeau

    GLaverneFlambeau Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    2
    I uninstalled Spyware Doctor and the registry keys in question are gone even after reboot.
     
  14. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    I too found Rivarts.A on my system from a MS AS Beta scan. I was surprised because it is literally the first alleged malware it has detected since I installed it shortly after it became available.

    If you follow some of the forum threads below, some of them suggest that the 9 Registry keys mchInjDrv (mad code hook Injection Driver) may have come from Trojan Hunter. Probably not in my case. I actually downloaded the trial version AFTER I found Rivarts.A because it was identified as a trojan. I should note that I had tried TH once a while ago, but I doubt there was any files left on my system. TH did not find anything, including Rivarts.A.

    None of my other scans found Rivarts.A either: ewido, a-squared, Spy Sweeper, NIS 2006, Spyware Doctor, Spybot, Ad-Aware SE. That was peculiar.

    Somebody asked what Trojan Hunter Guard is. I believe it's a .exe that is found within the TH folder. If you run Process Explorer I would expect it would show up there. I can't test that because I removed TH just to see what would happen. Same as before: the mchInjDrv reinstalls on reboot. Removing TH was a bit tricky, by the way. I used Add/Remove Programs from the Control Panel, but it couldn't remove it completely. The message said remove the rest manually. I tried to delete the TH folder in Programs Files, but I couldn't - Access denied, Trojan Guard running. Luckily I was able to delete the rest of it from the system tray.

    I also read on a forum that mchInjDrv is a legitimate application that the developer sells to other companies, so it may be malware if a company producing malware incorporates it into their product, but it is not supposedly malware in and of itself. Like any tool, it depends on how it is used.

    I have had Spyware Doctor myself for a while, so it may be that these traces were there all along unnoticed until MS AS detected them as likely false positives. I run the free unregistered version of SD and their tech support won't respond any more, but maybe someone who has the paid version can get an answer from them about whether or not they use mchInjDrv.

    In the meantime, until this gets resolved, I am just going to remove mchInjDrv every time on reboot. I don't want a potential keystroke logger running.

    Can someone tell me if I can simply and safely use regedit to delete the mchInjDrv folder from the Registry rather than run a quick MS AS scan and have it remove it? It takes about 3-4 minutes for MS AS to do its thing.
     
  15. luke0s

    luke0s Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    1
    Location:
    Southampton
    what agitates me is that it isnt picked up by windows defender real time protection i have had four instances of it dating back 4 days approx, ive only turned on my pc half an hour ago its locked up twice and windows defender has picked up the rivarts.a yet again ive e-mailed microsoft to see what they have to say but no reply as yet
     
  16. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    If you get a reply from Microsoft at all, it will only be to say that Defender (like its predecessor MS AS) is in Beta, and MS does not provide support for Beta releases as a policy matter.

    I tried to get some very basic support for MS AS early on, and they just directed me to a MS forum on it. I'm guessing they even ignored my product suggestions.

    I think it's a bit disgraceful for a company the size of Microsoft with its resources not to support its Betas at all, but everyone who downloads anybody's Betas should know that there will be some bugs of some kind in the application, some minor, others perhaps seriously aggravating or even catastrophic. As always, caveat emptor (buyer beware). That's why setting a Restore Point before a download is a good idea, just in case.
     
  17. PCJohn

    PCJohn Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    101
    MS AS found Rivarts.A too on another computer that I sometimes clean.
    It could be from IM or from malware because I removed a screensaver from this pc with a tennisplayer before that contained badware.
    Giant seemed better than MS AS so I am not shure its malware or a Fp.
     
  18. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Check out these replies by Mike Treit of Microsoft on 3/27/06 on the MS Discussion Groups forum thread 'Rivarts.A Backdoor - False positive or not?' about the detection rules that MS uses: http://www.microsoft.com/communitie...&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us , excerpted below.

    "Currently signatures on registry keys and values that are known to be
    created by malicious software are reported as a detection for that threat,
    even if no other files or other traces of the threat are found.
    There are plans to change this behavior in the future, which should resolve
    the issue."

    "By Microsoft Antispyware Beta 1 standards, this is not a false positive.
    Beta 1 has always reported the presence of various registry keys and/or
    values as meaning that you have that threat on your system, even if no files
    are detected. Currently, Beta 2 (i.e., Windows Defender) has the same logic
    as Beta 1.
    That said, we are planning to be more stringent about what we consider a
    concrete detection of a threat, which is why this behavior will change in
    the near future for Windows Defender."

    To quote a later post on that thread: "Mike Treit has stated that the logic
    Windows Defender uses in these cases (registry entries found, but not
    executable code) will soon be changed, which will eliminate this alarm."

    Various legitimate AS programs including Trojan Hunter and Spyware Doctor may install mchInjDrv, but are not malware themselves.

    At this point I am fairly convinced that on my system the detection of mchInjDrv is a false positive. If we had a complete list of 'good' programs that installed it, AS or otherwise, then by removing all of them from your system you could know for sure if mchInjDrv was indeed associated with an instance of malware. The best we can hope for at the moment is the brief list discussed in these threads.

    Note also that Spybot decided to remove mchInjDrv from its detection: forums.spybot.info/showthread.php?t=730 .
     
  19. PCJohn

    PCJohn Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    101
    When it is in the registry it`s not a false positive.
    The pc user should be notified and the keys must be removed.
    You don`t want it on your system, not for any part.
     
  20. perijon

    perijon Registered Member

    Joined:
    Mar 29, 2006
    Posts:
    2
    Location:
    Sydney, Australia
    Hi dcdc, I have detected Rivarts.A on my system with MS AS. Rivarts.A is a rootkit based trojan and it is self replicating. When MS AS deletes Rivarts.A it is only deleting a copy which the trojan has made, a few hours later it will be back. Panda Software has an article on it. After your AS deletes it, you have to delete the directory that Rivarts.A has created which is a .exe file. I went into my registery but could not find the directory string. I can't reproduce all of the directory string here as I don't have the right keyboard. After that, you have to delete your systems retore points, then reactivate monitoring again. Go to the Panda site to read on it. I am still stuck with this thing!
     
  21. PCJohn

    PCJohn Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    101
  22. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Here is a link to Panda's virus encyclopedia on Rivarts.A: http://www.pandasoftware.com/com/vi...iew.aspx?idvirus=92688&sitepanda=particulares.

    This morning I did a free scan from Panda's site with their two scanners, spyXposer and ActiveScan. Neither one found any malware including Rivarts.A on my system, and I do have mchInjDrv keys in my Registry. So apparently Panda does not use these keys as the only criteria to detect Rivarts.A. Panda may indeed remove Rivarts.A, but apparently in their detection rules the presence of mchInjDrv is insufficient to warrant a reported detection.

    Spybot decided to delist mchInjDrv last year. See post 7 on this thread: http://forums.spybot.info/showthread.php?t=774. Note also this quote from post 1 on the thread:
    "TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
    mchInjDrv (Mad code hook injection driver)
    malware can use it, but if you use any of the above security apps, then it's a false positive."

    You can probably add Spyware Doctor to the list of security applications that use it.

    Again, Rivarts.A may use mchInjDrv, but that does not mean that the converse is true, i.e. if mchInjDrv on your computer, you are necessarily infected with Rivarts.A. In other words just because you have some symptoms doesn't mean you necessarily have the disease.
     
  23. PCJohn

    PCJohn Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    101
  24. PCJohn

    PCJohn Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    101
    If nothing helps I will try this too.
    SWD is on the other Pc.
    Did removing Spyware Doctor help for more people?
     
  25. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Hi PCJohn,

    I guess my question is why would you want to uninstall Spyware Doctor if it were clear that SD was the source of the keys, or are you unconvinced that it is in your case? If the keys after uninstall did not return following reboot, would you then reinstall SD or not? If not, why not?

    I don't think anyone believes SD is harboring malware or that it is anything less than completely reputable. When MS decides to get around to it, they will change their detection rules and the FP hit will go away.

    A similar situation happened a while ago when Symantec mislabeled Spyware Doctor as harboring Graybird Backdoor. That was one of the better known false positives that eventually got cleared up.
     
Loading...
Thread Status:
Not open for further replies.