SmitFraud

From Wikipedia, the free encyclopedia

SmitFraud variants often change a computer's background to a fake Blue Screen of Death (similar to the real one depicted above) to trick users into buying fake anti-spyware programs.
SmitFraud variants often change a computer's background to a fake Blue Screen of Death (similar to the real one depicted above) to trick users into buying fake anti-spyware programs.

SmitFraud or W32/SmitFraud.A is a type of spyware that installs itself into a computer via adware, without the user's knowledge. Most of the time, it installs itself after the computer user installs a fake codec, such as BrainCodec, PCodec or VideoKeyCodec. You may be on a completely safe site, and suddenly there will be a pop-up and it will alter your registry, disable regedit, and task manager. It is also embedded in certain programs, such as iVideo, and many downloadable music files off music sharing programs and torrents.[1]. SmitFraud infects a Windows DLL with a computer virus [2], and typically changes the infected computer's desktop background into a Blue Screen of Death.

SmitFraud is now being used to term [3] infections wherein users receive fake alerts from software luring the user into installing some affiliated Fake / Rogue AntiSpyware with or without user's knowledge.

Contents

[edit] Removal and protection

Spybot detects but cannot remove another variant of SmitFraud. In this variant, the files core.sys and core.cache.dsk are found in the C:\Windows\System32\Drivers folder. There are also two corresponding registry keys. This variant produces pop-up ads that pop-up blockers cannot suppress. Ad-Aware and regular antivirus cannot remove these files or registry keys because they load into RAM early in the boot process. Once a file containing a Smitfraud virus is in RAM, the virus program code is executed along with the file it is attached to, makes copies of itself, and the copies attach themselves to other files in Physical Memory RAM. A prime target for self proliferation by Smitfraud viruses are often the files that reside in the boot sector of the hard disk. The newly infected files are then saved (written) to the hard disk, diskette or anything else, in the normal course of the taking of the computer, and the attached virus program code remains a part of them. One solution is to boot with DOS or Linux, then remove the files, then afterwards remove the registry keys. Another solution is to reformat your computer.

SmitFraudFix is a popular tool which can be employed in the complex removal process [4] but with care [5]. It covers a wide variety of Smitfraud variants.

To protect against viruses, users should employ properly installed virus protection software, which scans RAM constantly and stops any procedure which may allow a virus to enter, and should write protect all diskettes, check all outside diskettes for viruses before trying to use them, and be cautious about where they download files from and accept files from on the Internet.

Example: ZTreeWin_1.5.zip contains a crack to register ZtreeWin 1.51 included files are: keygen.exe, one.nfo, file_id.diz and 'RUN.EXE'. It is the 'RUN.EXE' that contains the rogue program

[edit] See also

[edit] External links

[edit] Notes

  1. ^ PC Hell: How to Remove SmitFraud variants like WinAntivirus Pro 2007, PestCapture, and more
  2. ^ Encyclopedia. Panda Security
  3. ^ How To Remove The Smitfraud / Generic Zlob / Quicknavigate / Virtual Maid
  4. ^ Security Ticker: Easy Fix For Spyware and Virus Alert
  5. ^ SmitFraudFix Tutorial