Installation
Trojan:Win32/Tivmonk.B is usually installed on your PC by pretending to be a legitimate installer. We have seen the following installer file names used by this threat:
-
Chrome_Setup.exe
-
Flash_Player_Pro_Setup.exe
-
Flash_Player_Pro_Update_Setup.exe
-
flash1-tr-60614.exe
-
Flash-3-Update5232014.exe
-
flashplayerpro-setup.exe
-
FreeFlash.exe
-
fupm-adk-v2.exe
-
iTunes-Setup.exe
-
Java_Updater_Setup.exe
-
java1-adk-52714.exe
-
Java-2-Update5232014.exe
-
JavaUpdateTR.exe
When the installer is run it disguises itself by using a legitimate installer interface, such as the following:
After the installation, the installer might tell you it has successfully installed an update, however it has actually installed a malicious component onto your PC.
The path of the malicious file that is installed depends on the fake installer that is used. For example, we have seen the malicious file installed in the following locations
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<path to malware>"
Where <value> is a random word designed to look like a legitimate entry. Examples of this registry entry include:
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 CVS Monitor"
With data: "C:\Program Files\Software Guardian\cvsmon32.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Client Manager"
With data: "C:\Program Files\Flash Update\winclient32.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows FUPM Service Manager"
With data: "C:\Program Files\Premium Software\systerm32.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 BCS Monitor"
With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows System Monitor "
With data: "C:\Program Files\VLC Media Player Installer\system32.exe"
Trojan:Win32/Tivmonk.B might also create similar registry entries at the following locations:
-
HKEY_CURRENT_USER\Software\AutoPopper
-
HKEY_CURRENT_USER\Software\UpdateFiles
-
HKEY_CURRENT_USER\Software\UpdateSoft
Payload
Monitors your online activity
Trojan:Win32/Tivmonk.B stays running in memory and monitors the following web browsers:
-
Chrome
-
Firefox
-
IE
-
Netscape
When one of these browsers are found running in the system the trojan collects all accessed URLs and sends this information to its servers via HTTP. We have seen it access the following URLs:
-
a.turboclk.com/a.php?key=<key>&url=<url>
-
a.turboclk.com/ac.php?key=<key>&comp=true&k=<url>
Where <key> is a random value and <url> is the URL accessed from the Web browser address bar.
Downloads other files
Trojan:Win32/Tivmonk.B can also download files from the remote server and run it in the system as CompTmp.exe.
As of this writing the server was not available to download this file.
Analysis by Ric Robielos
