Follow:

 

Trojan:Win32/Tivmonk.B


Microsoft security software detects and removes this threat.
 
This threat can watch what you do online and send the information to a malicious hacker.
 
It can also download and run other files on your PC.
 


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Tivmonk.B is usually installed on your PC by pretending to be a legitimate installer. We have seen the following installer file names used by this threat:

  • Chrome_Setup.exe
  • Flash_Player_Pro_Setup.exe
  • Flash_Player_Pro_Update_Setup.exe
  • flash1-tr-60614.exe
  • Flash-3-Update5232014.exe
  • flashplayerpro-setup.exe
  • FreeFlash.exe
  • fupm-adk-v2.exe
  • iTunes-Setup.exe
  • Java_Updater_Setup.exe
  • java1-adk-52714.exe
  • Java-2-Update5232014.exe
  • JavaUpdateTR.exe

When the installer is run it disguises itself by using a legitimate installer interface, such as the following:

After the installation, the installer might tell you it has successfully installed an update, however it has actually installed a malicious component onto your PC.

The path of the malicious file that is installed depends on the fake installer that is used. For example, we have seen the malicious file installed in the following locations

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<path to malware>"

Where <value> is a random word designed to look like a legitimate entry. Examples of this registry entry include:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 CVS Monitor"
With data: "C:\Program Files\Software Guardian\cvsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Client Manager"
With data: "C:\Program Files\Flash Update\winclient32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows FUPM Service Manager"
With data: "C:\Program Files\Premium Software\systerm32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 BCS Monitor"
With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows System Monitor "
With data: "C:\Program Files\VLC Media Player Installer\system32.exe"

Trojan:Win32/Tivmonk.B might also create similar registry entries at the following locations:

  • HKEY_CURRENT_USER\Software\AutoPopper 
  • HKEY_CURRENT_USER\Software\UpdateFiles 
  • HKEY_CURRENT_USER\Software\UpdateSoft 
Payload

Monitors your online activity

Trojan:Win32/Tivmonk.B stays running in memory and monitors the following web browsers:

  • Chrome
  • Firefox
  • IE
  • Netscape

When one of these browsers are found running in the system the trojan collects all accessed URLs and sends this information to its servers via HTTP. We have seen it access the following URLs:

  • a.turboclk.com/a.php?key=<key>&url=<url>
  • a.turboclk.com/ac.php?key=<key>&comp=true&k=<url>

Where <key> is a random value and <url> is the URL accessed from the Web browser address bar.

Downloads other files

Trojan:Win32/Tivmonk.B can also download files from the remote server and run it in the system as CompTmp.exe.

As of this writing the server was not available to download this file.

Analysis by Ric Robielos


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

%ProgramFiles% \Flash Component Manager\srvhelper32.exe

%ProgramFiles% \Flash Update\winclient32.exe

%ProgramFiles% \FlashLive! Updater\flsystem32.exe

%ProgramFiles% \Java Update\javaclient32.exe

%ProgramFiles% \JavaLive! Manager\jvsystem32.exe

%ProgramFiles% \Premium Software\systerm32.exe

%ProgramFiles% \Software Guardian\cvsmon32.exe

%ProgramFiles% \SystemShield Pro\bcsmon32.exe

%ProgramFiles% \VLC Media Player Installer\system32.exe

  • You see these entries or keys in your registry:
     

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Win32 CVS Monitor"
    With data: "C:\Program Files\Software Guardian\cvsmon32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Client Manager"
    With data: "C:\Program Files\Flash Update\winclient32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows FUPM Service Manager"
    With data: "C:\Program Files\Premium Software\systerm32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Win32 BCS Monitor"
    With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows System Monitor "
    With data: "C:\Program Files\VLC Media Player Installer\system32.exe"


Prevention


Alert level: Severe
This entry was first published on: Jun 23, 2014
This entry was updated on: Jun 24, 2014

This threat is also detected as:
No known aliases