Smart Security

Posted: March 10, 2010

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	426

First Seen:	March 11, 2010
Last Seen:	April 29, 2023
OS(es) Affected:	Windows

Smart Security (or SmartSecurity) is a rogue anti-spyware application and a clone of Security Tool.

Smart Security is a variant of FakeRean and belongs to the WinPCDefender family. Researchers have also found out that hackers cloned Smart Security from the well-known Security Tool in early 2010. Similar threats are My Security Shield, Windows Custom Management, Windows Defence Unit, Windows AntiHazard Helper, among others.

Aliases of Smart Security are:

Trojan:Win32/Winwebsec
Win32:PUP-gen
FraudTool.Win32.RogueSecurity
Win32/Adware.SecurityTool.AC
Suspicious.Insight
Trojan.Win32.FraudPack.almf
Trojan.Win32.FraudPack.alni

Smart Security Claims You Have Dangerous Threats on Your Computer

Smart Security usually enters a computer through a Trojan. However, users can also download the malicious application deliberately from a website, which pretends to perform free online anti-malware scans, in the belief that it is legit software that can clean up their PC. The malware can also use video codecs and flash updates to spread out the infection. Once the computer is infected, the malware will display a window with faked scan results, claiming it had found various worms, Trojans and other malicious software on your PC that need to be removed immediately.

None of these infections actually exist on the victim's computer, and even if they existed the malware would not be able to detect them as it has no spyware detection and removal engine. Yet, Smart Security will aggressively try to persuade you to purchase its "licensed" version in order to get all the threats removed. It will literally bombard you with pop-ups, system scans and security warnings, which claim that a malicious program has modified critical system files on your computer.. You can also get system tray balloons saying you have been hacked, and you are connected currently to a remote host with a particular name and IP address that is receiving all your sensitive data, like passwords and credit card numbers. Further on, Smart Security can configure your Internet Explorer to act as a proxy server, and the browser will redirect you to pages that could be potentially harmful, or that benefit the malware creators.

In fact, there is a legit program from ESET that is also called Smart Security, and though the windows that both applications display on the desktop look quite similar, users can easily distinguish the fake from the true one. The malware's pop-up window could be showing the Windows logo, and trying to mimic a Microsoft program, whereas the legit ESET window has "ESET Smart Security" in the top left corner.

You Can Find Smart Security's Traces on Your PC

The malware will change your registry so that it runs each time you boot your computer. It also creates a "smart.exe" file in your "Common Applications Data" folder and a "Smart Security.lnk" in your "Desktop" folder. Further files associated with the malware are found in your "Program Files," such as "unins000.dat" and "unins000.exe."

Smart Security makes the following entries in your Windows Registry:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\SMae0_289.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=289&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:25567"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Security"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" ="1"

More files and folders that the malware creates on your hard disk can look like these:

C:\Program Files\Smart Security
C:\Program Files\Smart Security\SmartSecurity.exe
C:\Program Files\Smart Security\unins000.dat
C:\Program Files\Smart Security\unins000.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Smart Security
C:\Documents and Settings\All Users\Application Data\a322fb\
C:\Documents and Settings\All Users\Application Data\a322fb\SMfe2_145.exe
C:\Documents and Settings\All Users\Application Data\a322fb\537.mof
C:\Documents and Settings\All Users\Application Data\a322fb\mozcrt19.dll
C:\Documents and Settings\All Users\Application Data\a322fb\SMS.ico
C:\Documents and Settings\All Users\Application Data\a322fb\sqlite3.dll
C:\Documents and Settings\All Users\Application Data\a322fb\BackUp\
C:\Documents and Settings\All Users\Application Data\a322fb\SMSSys\
C:\Documents and Settings\All Users\Application Data\a322fb\Quarantine Items\
C:\Documents and Settings\All Users\Application Data\SMUVZICOS\
%UserProfile%\Application Data\Smart Security\
%UserProfile%\Application Data\Smart Security\cookies.sqlite
%UserProfile%\Application Data\Smart Security\Instructions.ini
%UserProfile%\My Documents\hijackthis.log
%UserProfile%\Recent\ANTIGEN.drv
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\eb.dll
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\fan.drv
%UserProfile%\Recent\fan.sys
%UserProfile%\Recent\fix.exe
%UserProfile%\Recent\sld.drv
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\PE.sys

If you are infected with Smart Security, you should also notice processes like SmartSecurity.exe, unins000.exe, SMf30_289.exe, PE.exe and std.exe. In your Task Manager, Smart Security also creates a mutex named "Smart Security_MUTEX" to ensure that no more than one copy may run at any given time.

Further Problems Smart Security Can Cause on Your Machine

Smart Security can harm you even more than just bombarding you with bogus security alerts. It infects your computer with a dangerous Trojan that can corrupt your files, by all means threatening your privacy and sending to the cyber criminals personal information that can be used for illegal purposes. The malware compromises the security tools on your PC and makes it vulnerable to various kinds of add-ons, spyware and other types of malware. It can open a backdoor on your computer that would allow hackers remote access to all your data and observe your activities. Slowing down your computer's working speed and blue screens of death or system crash are other symptoms that may be traced back to this rogueware. Data loss and identity theft could be another consequence of this Trojan's actions.

As Smart Security bundles with the kernel part of your system, it is not easy to be removed. Also, the infection symptoms could get worse over time as this particular threat is able to evolve and add new characteristics, making thus the removal even harder. Luckily, there are professional anti-malware programs that have proven successful in cleaning PCs up from the Smart Security rogueware.

Aliases

Suspicious.Insight [Symantec]FraudTool.Win32.RogueSecurity (v) [Sunbelt]Suspicious file [Panda]Trojan.Win32.FraudPack.almf [Kaspersky]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

setup[1].exe

File name: setup[1].exe
Size: 2.06 MB (2065873 bytes)
MD5: ae33733c9d7cc727708274aeaa148a88
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 11, 2010

SmartSecurity.exe

File name: SmartSecurity.exe
Size: 1.66 MB (1669120 bytes)
MD5: e1643c9adeb56656389eee0d444dcb1a
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 11, 2010

%CommonAppData%\smart.exe

File name: %CommonAppData%\smart.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%Desktop%\Smart Security.lnk

File name: %Desktop%\Smart Security.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

File name without pathSmart Security.lnkSmartSecurity.exe

Additional Information

The following directories were created:

%ProgramFiles%\Smart Security

The following messages's were detected:

#	Message
1	Security Warning Malicious program has been detected. Click here to protect your computer.
2	iexplore.exe Can Not Start File iexplore.exe is infected by W32/Blaster.worm. Please activate Smart Security to protect your computer.

2 Comments

S Helland says:

October 10, 2010 at 12:29 am

Smart Security took over my computer and hopefully Spyhunter has removed it
S Helland says:

October 10, 2010 at 12:31 am

Spy Hunter removed Smart Secuirty and saved me allot of $