Jump to content


Photo

smart fortress 2012

new program new threat

  • This topic is locked This topic is locked
26 replies to this topic

#1 scotthocum

scotthocum

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:06 PM

Have you heard of a new virus called smart fortress 2012 I just got it on a copmuter but nothing will catch it?

#2 grinler

grinler

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,418 posts

Posted 27 February 2012 - 06:12 PM

Sounds new. Can you harvest some samples, zip em up, and upload them here?

--
Lawrence Abrams

BleepingComputer.com


#3 scotthocum

scotthocum

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:14 PM

what kind of samples should I get? Thanks

#4 Soleil120

Soleil120

    New Member

  • Members
  • Pip
  • 1 posts

Posted 27 February 2012 - 06:23 PM

My wife's computer got it an hour ago too and I have no idea how to get rid of it.

#5 Estevek

Estevek

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:24 PM

I just got infected by this as well. Rather nasty. Let me know what I can send along to diagnose. I am in a windows 7 pro machine.

#6 supertommy6

supertommy6

    New Member

  • Members
  • Pip
  • 1 posts

Posted 27 February 2012 - 06:28 PM

A user on my network contracted this today as well. Windows Vista Business. Let me know if there's anything I can do to help get rid of this thing!

#7 cwq1

cwq1

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:31 PM

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.

Attached Files



#8 Norseman

Norseman

    New Member

  • Members
  • Pip
  • 3 posts

Posted 27 February 2012 - 06:33 PM

I just got it on my older computer that I use for business (CAD work), so I really need to get after this one. Its an HP XW6400 running WinXP 64bit system, and unfortunately I had just shut down my anti-virus program in order to repair an un-registered .dll in my SolidWorks CAD program. This really sucks!

#9 d3nm4rk

d3nm4rk

    New Member

  • Members
  • Pip
  • 1 posts

Posted 27 February 2012 - 06:35 PM

Windows XP machine it was under \Documents and Settings\All Users\Application Data\<random-alpha-numeric-string>. Deleting it seems to be working for now, got a virus scan running now. I may just end up re-imaging the computer to completely get rid of it.

#10 grinler

grinler

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,418 posts

Posted 27 February 2012 - 06:35 PM

Checking out samples now. We should be able to get you guys fixed up soon :)

--
Lawrence Abrams

BleepingComputer.com


#11 Norseman

Norseman

    New Member

  • Members
  • Pip
  • 3 posts

Posted 27 February 2012 - 06:36 PM

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.


I have not been able to boot into safe mode, is it possible this trojan could be preventing that? I know whenever I try to open the uninstall program option in Control Panel, it blocks it. As well as several other programs like EndItAll and my AV program.

#12 cwq1

cwq1

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:37 PM

I noticed another user's post had ran their file through this website. Here's the results for the file I posted:

https://www.virustot...sis/1330385554/

8 / 43 scanners recognize it as something. I guess I'll go try the tools that found it, to see if they will remove it.

#13 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 27 February 2012 - 06:41 PM

Hi folks and welcome to the MBAM Research Center. :)

Looks like you all have something that is very new,the only google result for the name is pointing back to this forum so they dont come any hotter off the press then this..


We don't usually work on malware removal in this part of the forums so for those that need further assistance.
Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.
One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

Thank you :)
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 27 February 2012 - 06:43 PM

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.

I noticed another user's post had ran their file through this website. Here's the results for the file I posted:

https://www.virustot...sis/1330385554/

8 / 43 scanners recognize it as something. I guess I'll go try the tools that found it, to see if they will remove it.


Looking into this data now guys...Thankyou for your assistance :)
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 Estevek

Estevek

    New Member

  • Members
  • Pip
  • 2 posts

Posted 27 February 2012 - 06:47 PM

Back again...on my Win 7 pro machine I was unable to boot in safe mode without the infection. I did a restore and no I am operating again BUT nervouse about what, where and when this occurred.

#16 Cerbrus

Cerbrus

    New Member

  • Members
  • Pip
  • 7 posts

Posted 27 February 2012 - 06:49 PM

I got the virus just now.
For me (Win XP 32bit), it's located in C:\Documents and Settings\All Users\Application Data\F4D561B4000BEA160003C315D151FC84\
I'm guessing the last bit is random, but you never know...

It's 2 files:
F4D561B4000BEA160003C315D151FC84.exe (360.448 bytes)
And just plain
F4D561B4000BEA160003C315D151FC84 (328 bytes)

I can't remove the .exe, but I can rename it. It'll rename itself back, though.
The other file can be removed, but gets remade,

So, any idea how to remove this thing? It shuts down everything I try to start.

#17 grinler

grinler

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 1,418 posts

Posted 27 February 2012 - 06:53 PM

Back again...on my Win 7 pro machine I was unable to boot in safe mode without the infection. I did a restore and no I am operating again BUT nervouse about what, where and when this occurred.


I can almost guarantee you are running outdated programs on your computer, which causes a hacked website or malvertisement to slip this goody onto your OS.

My suggestion is to use Secunia PSI to check for outdated programs. I have a guide on that here.

http://www.bleepingc...th-secunia-psi/

--
Lawrence Abrams

BleepingComputer.com


#18 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 27 February 2012 - 07:01 PM

I got the virus just now.
For me (Win XP 32bit), it's located in C:\Documents and Settings\All Users\Application Data\F4D561B4000BEA160003C315D151FC84\
I'm guessing the last bit is random, but you never know...

It's 2 files:
F4D561B4000BEA160003C315D151FC84.exe (360.448 bytes)
And just plain
F4D561B4000BEA160003C315D151FC84 (328 bytes)

I can't remove the .exe, but I can rename it. It'll rename itself back, though.
The other file can be removed, but gets remade,

So, any idea how to remove this thing? It shuts down everything I try to start.


There is more to it then just that..It has created an execution hijack in the registry so that it launches itself everytime you try to run something new.

Trying to work a fix for it :)
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 Cerbrus

Cerbrus

    New Member

  • Members
  • Pip
  • 7 posts

Posted 27 February 2012 - 07:01 PM

I manages to change the virus' folder's security settings to only display the folder, no read access. (In safe mode)
It did prevent the virus from starting on a reboot, now I've just gotta get rid of it.

#20 Cerbrus

Cerbrus

    New Member

  • Members
  • Pip
  • 7 posts

Posted 27 February 2012 - 07:02 PM

Or at least, it looks like it didn't start (How do I edit posts here?)





Also tagged with one or more of these keywords: new program, new threat

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users