Rivarts.A Virus Removal Steps

Description:
Win32.Rivarts.a is a key logger that monitors the user's browsing habits and logs sensitive information entered by the user (such as usernames and passwords). Occasionally, the keylooger will send the stolen information to a remote location. The malware uses rootkit abilities to hide it's files, processes and registry entries.

Rivarts.A creates the following files in the Windows system directory:

• ZSYS.EXE. This file is a copy of the Trojan.
• ZSYS1.DLL, which is a DLL (Dynamic Link Library).
  - Rivarts.A creates a certain file, which is then registered as a service called mchInjDrv.
  - This service injects ZSYS1.DLL into all the active processes.
  - ZSYS1.DLL hooks the following functions:
  HttpSendRequestA (located in WININET.DLL).
  FindNextFileA, FindNextFileW, RegEnumValueA and RegEnumValueW (KERNEL32.DLL).
  PFXImportCertStore (CRYPT32.DLL).
  NtQuerySystemInformation (NTDLL.DLL).
  - By hooking those functions, Rivarts.A prevents some of its items, such as its files, entries and processes, from being listed in the Windows Explorer, the Task Manager, etc.
• ZSYS2.DLL. This DLL is injected into the system process explorer.exe, in order to monitor it.
• ZSYS.DB. This file is a database, that uses the following tables:
  settings, settings_global, settings_garbage, settings_formfaker, storage_certgrabber, storage_formgrabber, storage_formfaker, storage_keylogger, storage_garbage_formgrabber, storage_garbage_keylogger, filter_keylogger, filter_urlblocker, filter_formgrabber, filter_formfaker, filter_urlpopup, tasks and settings_global_hosts.
  Rivarts.A uses this database in order to store its parameters and the information it harvests. For example, the first time it is run, Rivarts.A inserts several URLs in the table settings_global_hosts, in order to later connect to them.

Rivarts.A creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Zsys = %sysdir%\ zsys.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Rivarts.A ensures that it is run whenever Windows is started.

Removal Instructions:

• Delete the entry that Rivarts.A has created in the Windows Registry:
  
  HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Zsys = %sysdir%\ zsys.exe
  where %sysdir% is the Windows system directory.
   
• Restart the computer.
• Panda Antivirus or Panda ActiveScan detects Rivarts.A during the scan, it will automatically offer you the option of deleting it.
• Delete all registry entries starting with mchInjDrv.