Security Fortress 2012

Security Fortress 2012 (McAfee: FakeAlert-SecurityTool.bt, Generic FaleAlert.ama) is a Trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems. It is a detection for a family of Rogue Antivirus Product that claims to scan for malicious program on the system and displays fake warning of infection. It requires the infected user to register the fake antivirus product by paying online to completely remove the infection. This Trojan usually arrives as a download by a user while visiting a malicious or poisoned websites. These websites usually host a fake online scanner that will warn the users of infection on the local system. Then the scanner will ask the user to download an antivirus software to detect and remove the supposedly infection.

Characteristics and Symptoms

Once the user downloads and installs the supposedly Antivirus product offered online, it will display success of installation and will immediately start to scan locally. It opens its interface which shows that the system has been severely infected by computer viruses. The Rogue security tool scans the victim's machines and fake the compromised user as they are infected.

Once the supposed scanning is finished, it displays a message showing the number of infections found on the machine. There are buttons for Removing the threats & also continuing unprotected as shown below.

When the compromised user clicks "Remove all threats now", it displays the following message and prompts the user to activate the product in order to fix the problem:

When the compromised user clicks "Activate Smart Fortress 2012" it will redirect the user to a website which will prompt the user to buy the fake software to clean the infection. *Note: website may vary from samples to samples A balloon tip may also appear in the system tray that indicates the user about the presence of malicious infections.

Security Fortress 2012 blocks all exes from executing. Whenvever the user tries to launch any application, instead the rogue scanner is launched. Installation: When executed, the Trojan copies itself into the following location: %AppData%\{ random characters}\{random characters}.exe or C:\ProgramData\{ random characters}\{random characters}.exe

The following file/folder may be added to the system: %StartMenu%\Programs\Smart Fortress 2012.lnk

The following registry entry may be added to the system: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "<random>" HKEY_CURRENT_USER\Software\Classes\<random 4 characters> HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = "<random 4 characters>" HKEY_CURRENT_USER\Software\Classes\<random 4 characters>\shell\open\command "(Default)" = "%CommonAppData%\<random 33 characters>\<random 33 characters>.exe" -s "%1" %* HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708a0b2badd77c8} HKEY_CLASSES_ROOT\<random 4 characters> HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\%s "(Default)" = "<random 4 characters>" HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\<random 4 characters>\shell\open\command "(Default)" = "%CommonAppData%\<random 33 characters>\<random 33 characters>.exe" -s "%1" %*

Remediation Steps

As Smart Fortress 2012 doesnt allow any executable to launch, the removal of the malware from the infected system is little bit tricky. The following steps can be used to remove the malware from an infected system. Trick 1: Using cmd.exe 1. 2. 3. Copy cmd.exe & rename it to explorer.exe Execute tasklist command. It will display the list of processes running in the system.

4. 5. 6. 7.

Identify the process belonging to the malware. (It is a random string containing alphanumeric characters. Note down the process id for that process. (It is mentioned besides the process name). Execute the command taskkill /f /pid [Process ID No.] It will kill the malware. Then we can delete that file. After that we can use a .reg file to remove the particular registry key.

Trick 2: Using Process Explorer 1. 2. 3. 4. Copy process explorer and rename it as explorer.exe Execute process explorer and identify the malware process Suspend the process. After this, we can execute any exe file. (Even our scanner or updater).

Trick 3: Using Recovery Console 1. 2. 3. 4. 5. 6. Restart the infected system and boot from CD. Choose Recovery Console (usually at Main Menu, hit 'r') It requires Admin password to logon. Once login, choose the drive where Windows is installed. Delete the malware file (del {path+filename}) Exit and restart the system.

Trick 4: Using the Activation Key 1. 2. 3. Click on Activate Smart Fortress and then on Click Here if you have activation Key. Enter the Activation Key: AA39754E-715219CE. Once it is activated, we can uninstall the rogue application. It also permits any application to execute.