Kivars

Kivars is a backdoor Trojan that enjoys a high degree of access to compromised PCs, which may allow Kivars to install other threats, collect information or even force input commands to trigger desired system actions. While previously limited to 32-bit Windows PCs, Kivars has received recent updates that, amongst other things, also provide Kivars with full compatibility with 64-bit OSes. As usual for such high-level threats, malware researchers consider any reaction to a possible Kivars attack other than removing Kivars with anti-malware tools to be grossly inadequate.

The Document You shouldn't Want to Read

Kivars primarily is involved in targeted campaigns that strike against specific government or private institutions, frequently via e-mail hoaxes. Primary components of Kivars infections include a custom Trojan dropper (identified as TROJ_FAKEWORD.A), two compromised DLL files hidden in your Windows directory, and a randomly-named, fake Word document. The latter, once closely examined, is revealed as an EXE or executable file exploiting the right-to-left override rule and an inappropriate icon to disguise itself.

All versions of Kivars Trojans use basic backdoor connections that may let Kivars receive instructions from its developers, upload files from your PC or download (and then launch) other, equally malign files. Malware experts also can point out some more specific hazards of Kivars, including:

• Kivars may install software Kivars downloads, including threats and utilities to assist threats (such as Remote Administration Tools).
• Kivars may use keyloggers to record your keyboard input to text files, which then can be uploaded for third parties to collect pertinent data.
• Kivars may capture screenshots to gather information that isn't accessible by monitoring your keyboard.
• Kivars may force certain input commands, such as a mouse's double-click.
• Kivars may modify which window is visible or 'on top' automatically.

Kivars even can uninstall itself – a useful feature for infiltrating high-security networks and then covering its tracks, after causing the desired damage. Other, internal aspects of Kivars's new version (such as the broad use of RC4 encryption) may make it difficult for some security products to identify Kivars properly.

Closing the File on Kivars

Kivars is far from ineffective when attacking random PCs, but should particularly be a security issue for companies and government agencies that previously have suffered from similar attacks. Proper PC security protocol, especially with regards to e-mail and network safety, should block the majority of methods by which Kivars installs itself. Since Kivars may include randomized file names, misleading files and structural traits that try to hinder its deletion, deleting Kivars always should use specialized anti-malware technology.

Although all Trojans with download capabilities are capable of placing other threats on your hard drive, Kivars has been confirmed to have an especially close relationship with the Poison Ivy RAT. Sufficiently-thorough system scans always should be undertaken to minimize the potential for related threats to linger after Kivars's removal. Updating your security software also may be needed for Kivars's identification, as usual for threats with recent, new variants.