Home / malwarePDF  

Adware:Win32/InvisibleBrowser


First posted on 28 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/InvisibleBrowser.

Explanation :

Threat behavior

Installation

Adware:Win32/InvisibleBrowser is usually installed on your PC at the same time as other software. We have seen the following installer file names used by this program:

  • Chrome_Setup.exe
  • Flash_Player_Pro_Setup.exe
  • Flash_Player_Pro_Update_Setup.exe
  • flash1-tr-60614.exe
  • Flash-3-Update5232014.exe
  • flashplayerpro-setup.exe
  • FreeFlash.exe
  • fupm-adk-v2.exe
  • iTunes-Setup.exe
  • Java_Updater_Setup.exe
  • java1-adk-52714.exe
  • Java-2-Update5232014.exe
  • JavaUpdateTR.exe


The installation program might look like the following:











After the installation, the installer might tell you it has successfully installed an update, however it has actually installed another component onto your PC.

We have this program installed in the following locations:

  • %ProgramFiles% \Flash Component Manager\srvhelper32.exe
  • %ProgramFiles% \Flash Update\winclient32.exe
  • %ProgramFiles% \FlashLive! Updater\flsystem32.exe
  • %ProgramFiles% \Java Update\javaclient32.exe
  • %ProgramFiles% \JavaLive! Manager\jvsystem32.exe
  • %ProgramFiles% \Premium Software\systerm32.exe
  • %ProgramFiles% \Software Guardian\cvsmon32.exe
  • %ProgramFiles% \SystemShield Pro\bcsmon32.exe
  • %ProgramFiles% \VLC Media Player Installer\system32.exe


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: ""

Where is a random word. Examples of this registry entry include:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 CVS Monitor"
With data: "C:\Program Files\Software Guardian\cvsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Client Manager"
With data: "C:\Program Files\Flash Update\winclient32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows FUPM Service Manager"
With data: "C:\Program Files\Premium Software\systerm32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32 BCS Monitor"
With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows System Monitor "
With data: "C:\Program Files\VLC Media Player Installer\system32.exe"

It might also create similar registry entries at the following locations:

  • HKEY_CURRENT_USER\Software\AutoPopper
  • HKEY_CURRENT_USER\Software\UpdateFiles
  • HKEY_CURRENT_USER\Software\UpdateSoft


Behavior

Monitors your online activity

This program can monitor the following web browsers:

  • Chrome
  • Firefox
  • IE
  • Netscape


It collects all accessed URLs and sends this information to its servers via HTTP. We have seen it access the following URLs:

  • a.turboclk.com/a.php?key=&url=
  • a.turboclk.com/ac.php?key=&comp=true&k=


Where is a random value and is the URL accessed from the Web browser address bar.

Displays advertisements

We have seen this program showing unattributed ads that might look like those shown below:







Symptoms

The following could indicate that you have this program on your PC:

  • You have these files:


%ProgramFiles% \Flash Component Manager\srvhelper32.exe

%ProgramFiles% \Flash Update\winclient32.exe

%ProgramFiles% \FlashLive! Updater\flsystem32.exe

%ProgramFiles% \Java Update\javaclient32.exe

%ProgramFiles% \JavaLive! Manager\jvsystem32.exe

%ProgramFiles% \Premium Software\systerm32.exe

%ProgramFiles% \Software Guardian\cvsmon32.exe

%ProgramFiles% \SystemShield Pro\bcsmon32.exe

%ProgramFiles% \VLC Media Player Installer\system32.exe


  • You see these entries or keys in your registry:


    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Win32 CVS Monitor"
    With data: "C:\Program Files\Software Guardian\cvsmon32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Client Manager"
    With data: "C:\Program Files\Flash Update\winclient32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows FUPM Service Manager"
    With data: "C:\Program Files\Premium Software\systerm32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Win32 BCS Monitor"
    With data: "C:\Program Files\SystemShield Pro\bcsmon32.exe"

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows System Monitor "
    With data: "C:\Program Files\VLC Media Player Installer\system32.exe"

Last update 28 July 2014

 

TOP

Malware :