Home / malwarePDF  

Trojan:Win32/Tivmonk.B


First posted on 13 April 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Tivmonk.B.

Explanation :

Installation

Trojan:Win32/Tivmonk.B is usually installed on your PC by pretending to be a legitimate installer. We have seen the following installer file names used by this threat:

  • Chrome_Setup.exe
  • Flash_Player_Pro_Setup.exe
  • Flash_Player_Pro_Update_Setup.exe
  • flash1-tr-60614.exe
  • Flash-3-Update5232014.exe
  • flashplayerpro-setup.exe
  • FreeFlash.exe
  • fupm-adk-v2.exe
  • iTunes-Setup.exe
  • Java_Updater_Setup.exe
  • java1-adk-52714.exe
  • Java-2-Update5232014.exe
  • JavaUpdateTR.exe


When the installer is run it disguises itself by using a legitimate installer interface, such as the following:

After the installation, the installer might tell you it has successfully installed an update, however it has actually installed a malicious component onto your PC.

The path of the malicious file that is installed depends on the fake installer that is used. For example, we have seen the malicious file installed in the following locations
  • %ProgramFiles% \Flash Component Manager\srvhelper32.exe
  • %ProgramFiles% \Flash Update\winclient32.exe
  • %ProgramFiles% \FlashLive! Updater\flsystem32.exe
  • %ProgramFiles% \Java Update\javaclient32.exe
  • %ProgramFiles% \JavaLive! Manager\jvsystem32.exe
  • %ProgramFiles% \Premium Software\systerm32.exe
  • %ProgramFiles% \Software Guardian\cvsmon32.exe
  • %ProgramFiles% \SystemShield Pro\bcsmon32.exe
  • %ProgramFiles% \VLC Media Player Installer\system32.exe


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: ""

Where is a random word designed to look like a legitimate entry. Examples of this registry entry include:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 CVS Monitor"
With data: "C:\Program Files\Software Guardian\cvsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Client Manager"
With data: "C:\Program Files\Flash Update\winclient32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows FUPM Service Manager"
With data: "C:\Program Files\Premium Software\systerm32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 BCS Monitor"
With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows System Monitor "
With data: "C:\Program Files\VLC Media Player Installer\system32.exe"

Trojan:Win32/Tivmonk.B might also create similar registry entries at the following locations:
  • HKEY_CURRENT_USER\Software\AutoPopper
  • HKEY_CURRENT_USER\Software\UpdateFiles
  • HKEY_CURRENT_USER\Software\UpdateSoft


Payload

Monitors your online activity

Trojan:Win32/Tivmonk.B stays running in memory and monitors the following web browsers:
  • Chrome
  • Firefox
  • IE
  • Netscape


When one of these browsers are found running in the system the trojan collects all accessed URLs and sends this information to its servers via HTTP. We have seen it access the following URLs:
  • a.turboclk.com/a.php?key=&url=
  • a.turboclk.com/ac.php?key=&comp=true&k=


Where is a random value and is the URL accessed from the Web browser address bar.

Downloads other files

Trojan:Win32/Tivmonk.B can also download files from the remote server and run it in the system as CompTmp.exe.

As of this writing the server was not available to download this file.



Analysis by Ric Robielos

Last update 13 April 2017

 

TOP

Malware :

Family: