Wednesday, February 08, 2012

Smart Protection 2012 (FakeAV) - 02.08.2012 - Analysis and Removal

This was performed on a virtual machine


I found this one very similar to Security Sphere 2012. 
Full report with video here. Upon infection, the screen above appears and starts to "scan" your system automatically. Whenever the "scan" is finished, the screenshot to the right will appear. These are all fake notices that your PC is infected as Smart Protection 2012 is not legitimate to begin with.
A tip, if you did not install it and execute it yourself, a red flag
should go off that this is all faked and created by malware coders.
This one, however, is not very difficult to remove.
Below are other prompts you may be presented with.

 






__________________________________________________________________________________
RogueKiller





¤¤¤ Registry Entries: 1 ¤¤¤
[SUSP PATH] HKCU\[...]\RunOnce : 529C538A01ACD5B85EA115DBD151FC4E (C:\Documents and Settings\All Users\Application Data\529C538A01ACD5B85EA115DBD151FC4E\529C538A01ACD5B85EA115DBD151FC4E.exe) -> DELETED
__________________________________________________________________________________
MBAM





Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protection 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\529C538A01ACD5B85EA115DBD151FC4E\529C538A01ACD5B85EA115DBD151FC4E.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
__________________________________________________________________________________
MGtools





 "C:\Documents and Settings\All Users\Application Data\"
529C53~1      Feb  8 2012              "529C538A01ACD5B85EA115DBD151FC4E"

"C:\Documents and Settings\infectedxp\Desktop\"
smartp~1.lnk  Feb  8 2012        1328  "Smart Protection 2012.lnk"

"C:\Documents and Settings\infectedxp\Start Menu\Programs\"
SMARTP~1      Feb  8 2012              "Smart Protection 2012"
__________________________________________________________________________________
Misc notes:

You will need a tool like RogueKiller to stop the bad process first as Task Manager will be reported as infected.
Even applications like Paint (mspaint.exe) will report as infected.

Most of these types of infections nowadays are coming bundled with a rootkit e.g. ZeroAccess.
The FakeAV itself is not intended to slow your PC down, just there to attempt to scam you for financial information.
A rootkit however, will dramatically slow down your PC or in worst case scenario cause the PC not to boot.

I recommend checking for rootkits first with TDSSKiller. Contrary to popular belief, I tend to run ComboFix as one of my very last scans. I do not use ComboFix as a rootkit scanner, rather I prefer to use it to remove some of the final traces of a ZeroAccess rootkit.
___________________________________________________________________________________

No comments:

Post a Comment