7/30/2019 FakeAlert-Smart Fortress 2012

1/4

Security Fortress 2012

Security Fortress 2012 (McAfee: FakeAlert-SecurityTool.bt, Generic FaleAlert.ama) is a Trojan that

displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

It is a detection for a family of Rogue Antivirus Product that claims to scan for malicious program on

the system and displays fake warning of infection. It requires the infected user to register the fakeantivirus product by paying online to completely remove the infection.

This Trojan usually arrives as a download by a user while visiting a malicious or poisoned websites. These

websites usually host a fake online scanner that will warn the users of infection on the local system. Then the

scanner will ask the user to download an antivirus software to detect and remove the supposedly infection.

Characteristics and Symptoms

Once the user downloads and installs the supposedly Antivirus product offered online, it will display success

of installation and will immediately start to scan locally.

It opens its interface which shows that the system has been severely infected by computer viruses. The

Rogue security tool scans the victim's machines and fake the compromised user as they are infected.

Once the supposed scanning is finished, it displays a message showing the number of infections found on themachine. There are buttons for Removing the threats & also continuing unprotected as shown below.

7/30/2019 FakeAlert-Smart Fortress 2012

2/4

When the compromised user clicks "Remove all threats now", it displays the following message and prompts

the user to activate the product in order to fix the problem:

When the compromised user clicks "Activate Smart Fortress 2012" it will redirect the user to a website which

will prompt the user to buy the fake software to clean the infection.

*Note: website may vary from samples to samples

A balloon tip may also appear in the system tray that indicates the user about the presence of malicious

infections.

7/30/2019 FakeAlert-Smart Fortress 2012

3/4

Security Fortress 2012 blocks all exes from executing. Whenvever the user tries to launch any application,

instead the rogue scanner is launched.

Installation:

When executed, the Trojan copies itself into the following location:

%AppData%\{ random characters}\{random characters}.exe or C:\ProgramData\{ random characters}\{random characters}.exe

The following file/folder may be added to the system:

%StartMenu%\Programs\Smart Fortress 2012.lnkThe following registry entry may be added to the system:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "" HKEY_CURRENT_USER\Software\Classes\ HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "" HKEY_CURRENT_USER\Software\Classes\\shell\open\command "(Default)"

= "%CommonAppData%\\.exe" -s "%1" %*

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

HKEY_CLASSES_ROOT\ HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\%s "(Default)" =

""

HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\\shell\open\command "(Default)" = "%CommonAppData%\\.exe" -s "%1" %*

Remediation StepsAs Smart Fortress 2012 doesnt allow any executable to launch, the removal of the malware from the

infected system is little bit tricky.

The following steps can be used to remove the malware from an infected system.

Trick 1: Using cmd.exe

1. Copy cmd.exe & rename it to explorer.exe2. Execute tasklist command.3. It will display the list of processes running in the system.

7/30/2019 FakeAlert-Smart Fortress 2012

4/4

4. Identify the process belonging to the malware. (It is a random string containing alphanumericcharacters. Note down the process id for that process. (It is mentioned besides the process

name).

5. Execute the command taskkill /f /pid [Process ID No.]6. It will kill the malware. Then we can delete that file.7. After that we can use a .reg file to remove the particular registry key.

Trick 2: Using Process Explorer

1. Copy process explorer and rename it as explorer.exe2. Execute process explorer and identify the malware process3. Suspend the process.4. After this, we can execute any exe file. (Even our scanner or updater).

Trick 3: Using Recovery Console

1. Restart the infected system and boot from CD.2. Choose Recovery Console (usually at Main Menu, hit 'r')3. It requires Admin password to logon.4. Once login, choose the drive where Windows is installed.5. Delete the malware file (del {path+filename})6. Exit and restart the system.

Trick 4: Using the Activation Key

1. Click on Activate Smart Fortress and then on Click Here if you have activation Key.2. Enter the Activation Key: AA39754E-715219CE.3. Once it is activated, we can uninstall the rogue application. It also permits any application to

execute.