Satisfaction Analysis of Employee at McDonald Fortress Branch (Nov-2012)
FakeAlert-Smart Fortress 2012
Transcript of FakeAlert-Smart Fortress 2012
-
7/30/2019 FakeAlert-Smart Fortress 2012
1/4
Security Fortress 2012
Security Fortress 2012 (McAfee: FakeAlert-SecurityTool.bt, Generic FaleAlert.ama) is a Trojan that
displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.
It is a detection for a family of Rogue Antivirus Product that claims to scan for malicious program on
the system and displays fake warning of infection. It requires the infected user to register the fakeantivirus product by paying online to completely remove the infection.
This Trojan usually arrives as a download by a user while visiting a malicious or poisoned websites. These
websites usually host a fake online scanner that will warn the users of infection on the local system. Then the
scanner will ask the user to download an antivirus software to detect and remove the supposedly infection.
Characteristics and Symptoms
Once the user downloads and installs the supposedly Antivirus product offered online, it will display success
of installation and will immediately start to scan locally.
It opens its interface which shows that the system has been severely infected by computer viruses. The
Rogue security tool scans the victim's machines and fake the compromised user as they are infected.
Once the supposed scanning is finished, it displays a message showing the number of infections found on themachine. There are buttons for Removing the threats & also continuing unprotected as shown below.
-
7/30/2019 FakeAlert-Smart Fortress 2012
2/4
When the compromised user clicks "Remove all threats now", it displays the following message and prompts
the user to activate the product in order to fix the problem:
When the compromised user clicks "Activate Smart Fortress 2012" it will redirect the user to a website which
will prompt the user to buy the fake software to clean the infection.
*Note: website may vary from samples to samples
A balloon tip may also appear in the system tray that indicates the user about the presence of malicious
infections.
-
7/30/2019 FakeAlert-Smart Fortress 2012
3/4
Security Fortress 2012 blocks all exes from executing. Whenvever the user tries to launch any application,
instead the rogue scanner is launched.
Installation:
When executed, the Trojan copies itself into the following location:
%AppData%\{ random characters}\{random characters}.exe or C:\ProgramData\{ random characters}\{random characters}.exe
The following file/folder may be added to the system:
%StartMenu%\Programs\Smart Fortress 2012.lnkThe following registry entry may be added to the system:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "" HKEY_CURRENT_USER\Software\Classes\ HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "" HKEY_CURRENT_USER\Software\Classes\\shell\open\command "(Default)"
= "%CommonAppData%\\.exe" -s "%1" %*
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
HKEY_CLASSES_ROOT\ HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\%s "(Default)" =
""
HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\\shell\open\command "(Default)" = "%CommonAppData%\\.exe" -s "%1" %*
Remediation StepsAs Smart Fortress 2012 doesnt allow any executable to launch, the removal of the malware from the
infected system is little bit tricky.
The following steps can be used to remove the malware from an infected system.
Trick 1: Using cmd.exe
1. Copy cmd.exe & rename it to explorer.exe2. Execute tasklist command.3. It will display the list of processes running in the system.
-
7/30/2019 FakeAlert-Smart Fortress 2012
4/4
4. Identify the process belonging to the malware. (It is a random string containing alphanumericcharacters. Note down the process id for that process. (It is mentioned besides the process
name).
5. Execute the command taskkill /f /pid [Process ID No.]6. It will kill the malware. Then we can delete that file.7. After that we can use a .reg file to remove the particular registry key.
Trick 2: Using Process Explorer
1. Copy process explorer and rename it as explorer.exe2. Execute process explorer and identify the malware process3. Suspend the process.4. After this, we can execute any exe file. (Even our scanner or updater).
Trick 3: Using Recovery Console
1. Restart the infected system and boot from CD.2. Choose Recovery Console (usually at Main Menu, hit 'r')3. It requires Admin password to logon.4. Once login, choose the drive where Windows is installed.5. Delete the malware file (del {path+filename})6. Exit and restart the system.
Trick 4: Using the Activation Key
1. Click on Activate Smart Fortress and then on Click Here if you have activation Key.2. Enter the Activation Key: AA39754E-715219CE.3. Once it is activated, we can uninstall the rogue application. It also permits any application to
execute.