Avast WEBforum

Other => Viruses and worms => Topic started by: yourfather on May 24, 2008, 09:36:35 AM

Title: HELP Win32:Vanti-BK [Rtk]
Post by: yourfather on May 24, 2008, 09:36:35 AM

I updated my Avast software and received a warning that my computer C:\WINDOWS\system32\drivers\vga.sys was infected with Malware Win32:Vanti-BK [Rtk].


Could this be a false positive and I should ignore?
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: FreewheelinFrank on May 24, 2008, 09:40:46 AM
Looks like it may be.

Please disable 'Hide protected operating system files' (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and enable 'View Hidden Files and Folders' (http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp), and upload the above files to VirusTotal (http://www.virustotal.com/) for analysis and confirmation.
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: oldman on May 24, 2008, 09:55:10 AM
Seems like someone else has posted about the same file...If removed, no monitor. I'll try to find the thread, but follow FWF's advise and test the file.

Here you go, seems like an FP going by the virustotal results.

http://forum.avast.com/index.php?topic=35692.0
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: yourfather on May 24, 2008, 10:16:01 AM
So I'm suppose to post the report from VirusTotal here? If it is, then here you go

Antivirus Version Last Update Result
AhnLab-V3 2008.5.22.1 2008.05.23 -
AntiVir 7.8.0.19 2008.05.23 -
Authentium 5.1.0.4 2008.05.23 -
Avast 4.8.1195.0 2008.05.23 -
AVG 7.5.0.516 2008.05.23 -
BitDefender 7.2 2008.05.23 -
CAT-QuickHeal 9.50 2008.05.23 -
ClamAV 0.92.1 2008.05.23 -
DrWeb 4.44.0.09170 2008.05.23 -
eSafe 7.0.15.0 2008.05.22 -
eTrust-Vet 31.4.5815 2008.05.23 -
Ewido 4.0 2008.05.23 -
F-Prot 4.4.4.56 2008.05.23 -
F-Secure 6.70.13260.0 2008.05.23 -
Fortinet 3.14.0.0 2008.05.23 -
GData 2.0.7306.1023 2008.05.23 -
Ikarus T3.1.1.26.0 2008.05.23 -
Kaspersky 7.0.0.125 2008.05.23 -
McAfee 5302 2008.05.23 -
Microsoft 1.3520 2008.05.23 -
NOD32v2 3127 2008.05.23 -
Norman 5.80.02 2008.05.23 -
Panda 9.0.0.4 2008.05.23 -
Prevx1 V2 2008.05.23 -
Rising 20.45.42.00 2008.05.23 -
Sophos 4.29.0 2008.05.23 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.23 -
TheHacker 6.2.92.318 2008.05.23 -
VBA32 3.12.6.6 2008.05.23 -
VirusBuster 4.3.26:9 2008.05.23 -
Webwasher-Gateway 6.6.2 2008.05.23 -
Additional information
File size: 20992 bytes
MD5...: 8a60edd72b4ea5aea8202daf0e427925
SHA1..: 0aa68f6fbe29e8359942d2cdefe7e9b8527568ab
SHA256: ed0624b285e4f64e07e30c12490873a2090f9dfd6a91a2eda7a1082b88a8199e
SHA512: 88f6a457daf60dfc7ba2a46e46bbe5dea1f45fc0a229f7f64bf48577d6c5c3c3
06d110477ef74b0f6a277f800e5bfe32300a8b93335d96b0d358a2012de1773f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14642
timedatestamp.....: 0x41107d0a (Wed Aug 04 06:07:06 2004)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x3d0 0x400 6.11 7f9d3555fc0fa39e6c35e04f62968ea5
.rdata 0x780 0x134 0x180 2.69 68c533c5ab20eb8bbd4df6edcde875b5
.data 0x900 0xc 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc
PAGE 0x980 0x36e0 0x3700 6.29 1e701edde3d8b50fb912912ae1b1944f
PAGE_DAT 0x4080 0x4d2 0x500 2.75 7f80608610eea5275fc62df4c81ecc35
INIT 0x4580 0x510 0x580 5.12 64952cd39bfd619bae392603d8bb401f
.rsrc 0x4b00 0x3f0 0x400 3.38 7afff939e936aef204b8ff5c95cc9f57
.reloc 0x4f00 0x2ba 0x300 5.70 ff2779d16f2b082837239428beae8eae

( 2 imports )
> ntoskrnl.exe: KeBugCheckEx, KeTickCount, memmove, _except_handler3
> VIDEOPRT.SYS: VideoPortFreePool, VideoPortQueryServices, VideoPortFreeDeviceBase, VideoPortInitialize, VideoPortReadPortUshort, VideoPortWritePortBufferUshort, VideoPortWritePortUshort, VideoPortWritePortUchar, VideoPortReadPortUchar, VideoPortZeroDeviceMemory, VideoPortStallExecution, VideoPortInt10, VideoPortZeroMemory, VideoPortCompareMemory, VideoPortVerifyAccessRanges, VideoPortWriteRegisterBufferUchar, VideoPortAllocatePool, VideoPortSetTrappedEmulatorPorts, VideoPortMoveMemory, VideoPortReadRegisterUchar, VideoPortWriteRegisterUchar, VideoPortWritePortUlong, VideoPortGetDeviceBase, VideoPortGetDeviceData, VideoPortUnmapMemory, VideoPortMapMemory, VideoPortSynchronizeExecution, VideoPortReadPortUlong

( 0 exports )
 
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: FreewheelinFrank on May 24, 2008, 10:18:15 AM
Thanks.

Definitely a false positive identification by avast!'s rootkit scanner.

Do not delete the file or you will lose your display.

avast! needs to fix this one pronto.


EDIT: See later posts.
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: yourfather on May 24, 2008, 10:22:17 AM
Okay. Thanks :)
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: Krasotka on June 02, 2008, 01:39:50 AM
pardon ... I'm blond )))
so shell I just ignore it???
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: Sonichko on June 02, 2008, 09:41:31 PM
Hi,

you will see my posts about this under Viruses "Win32:Vanti-BK" in this forum. I had the same problem, right after I used a friend's pen drive. Polonus told me to run Dr. Web Cure it, which found 19 infected files with another trojan - and then a Hijack this analysis, with apparently some bank in Mexico as a host on my computer. Mysteriously, as soon as I dealt with the "Besso" trojan, the messages from Avast about Vanti stopped coming. So you should make sure you are not infected with something else more hidden that makes this one come back. It may be a false positive, but then why did it stop appearing as soon as I got rid of a trojan?

anyway I am very new at this, but maybe this will help
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: Maxx_original on June 02, 2008, 09:58:31 PM
we've reanalysed the files detected as Win32:Vanti-BK and my opinion is, that the detection is correct... the real driver refers to rapid.sys and hides itself under the vga.sys PE image afaik... when you're reading from the file via windows api (compromited probably), you'll get the content of vga.sys (that's probably a reason, why the virustotal analysis seemed to be clean)... when you're reading the file in raw mode, you'll get an encrypted file with mangled import names etc.. and like i said before - when it would be a FP, it would be reported by many users... we got only some reports from users with a compromitted system..
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: FreewheelinFrank on June 02, 2008, 10:05:28 PM
OK. Thanks for the feedback.
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: polonus on June 02, 2008, 10:12:18 PM
Hi malware fighters,

I was persistent with Sonichko's alert and we delved further, and we did a full scan in safe mode and without system restore using the latest version of DrWebCureIt non-resident scanner for a FULL scan.

He did not present me with the DrWebCureIt's log file, but he is genuine as he states something alerted and later after cleansing the alert had gone. One cannot be lightheartedly say so and so is an FP
as there must be reasons for this. Good and valuable point made here, Sonichko, welcome to the forums,

polonus aka Damian
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: FreewheelinFrank on June 02, 2008, 10:14:22 PM
Any chance avast! can also add the malware hacking vga.sys?
Title: Re: HELP Win32:Vanti-BK [Rtk]
Post by: Maxx_original on June 03, 2008, 09:05:50 AM
yes, when we would receive the file responsible for it..