Killing Trojan-Spy.HTML.Smitfraud.C at hyalineskies

Killing Trojan-Spy.HTML.Smitfraud.C

A client of mine got this nasty spyware infection this morning and called me in an emergency to fix the mess that had occurred. I decided to compile all of my research here for people’s use if they get it; I’m not going into a step-by-step deal; I will assume that you know how to use the tools I’ve listed, as well as the Registry Editor, task manager, and Windows. (Simply put: not for newbies.)

A bit of research led me to a few antivirus sites, such as Symantec’s and Kaspersky’s VirusList. Since I don’t want (and don’t remember) every link I checked while researching, here’s what I’ve got as background information on Smitfraud and its associated trojans:

Name: Trojan-Spy.HTML.Smitfraud.C
Purpose: Trojan / Spyware, for financial fraud and identity theft
Payload:

Opens your computer to spyware infections from “free pharmacy”, “free casino”, and the like.

Installs a fake virus scanner, “IGuard”, on the PC.

Creates C:\wp.bmp and C:\wp.exe.

Creates registry folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Inserts registry values “1″ at NoDispBackgroundPage and NoDispAppearancePage. Also creates a
value linking to C:\wp.bmp, all in the above registry folder.

Runs a process, wp.exe, which (I think) contains a keylogger.

Locks IE from user access.

Changes desktop background to C:\wp.bmp, which looks like a BSOD (Blue Screen of Death),
announcing its presence. It asks you to scan with any available tools (hint hint, its tool.)

Does not allow user to change Desktop Properties.

Monitors and kills Internet Explorer processes.

Opens web pages that masquerade as reputable banks by using the Internet Explorer URL Canonicalization Exploit, in hopes to gather financial information.

And that’s everything I’ve found that it does. It’s not fun to clean up after, either. You will need a good set of utilities on a CD-ROM. Here is what I had handy:

Pocket Killbox

Ad-Aware SE

Ad-Aware SE reference file (manual)

Spybot Search and Destroy

Silent Runners VBS

CWShredder

HiJackThis!

lopremover

DelDomains INF

I burned all of that onto a CD before I even saw the host machine. I also took a printout of this thread on Geeks2Go, which contains a resolution to SmitFraud. It’s 34 pages long.

Anyway, here’s your step-by-step playbook to killing SmitFraud. Please note that my SmitFraud variant was fairly new and hadn’t infected my machine with other bits of its spyware, so your mileage may vary.

:: Boot the machine, disconnected from the network
Keeping the machine disconnected keeps it from phoning home or the like.

:: Go to Add/Remove Programs, and Remove Security IGuard
This is a fake antivirus program that it puts on your PC so you feel safe when nothing shows up. It’s all a ploy. It shouldn’t exist.

:: Stop System Restore
Just like I said. Dive into the control panel, open the System Tab, and turn off System Restore.

:: Delete the wp.bmp file in C:\
Just delete it and empty the recycle bin. If you want to see what we’re doing next, just try to delete wp.exe. You won’t get anywhere close.

:: Reboot the machine into Safe Mode, without networking
If you don’t know how to do this, Symantec does.

:: Install all your system tools as Administrator
Install SpyBot SD, Ad-Aware, etc. Make sure you use your manual definitions files on the CD, not the ones in the install packages.

:: Run Ad-Aware.
Delete EVERYTHING it comes up with.

:: Run Spybot-SD.
Delete EVERYTHING it, too, comes up with.

:: Run CWShredder.
Let it kill anything it finds.

:: Run lopremover.exe
It may find spyware not associated with Smitfraud. Let it.

:: Delete C:\wp.exe using Pocket Killbox.
wp.exe isn’t so strong now, is it? Set to delete on reboot as well.

:: Reboot into safe mode with networking.
wp.exe is gone. As is wp.bmp. har har.

:: Open the registry editor and kill the registry keys listed.
Delete the whole folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System . Most home/small-office users have no policies anyway. If you do, you can fix this one yourself and don’t need this tutorial.

:: Right-click on deldomains.inf and click “install”
It will destroy any bad hosts that you may be attempting to connect to.

:: Copy the Silent Runners VBS to the Desktop and run it.
Examine the log. You shouldn’t have any references to wp.exe.

:: Reboot the computer normally.
Reset your Desktop properties to the wallpaper you want.

:: Run the Silent Runners VBS from the Desktop.
Once again, you should have no references to wp.exe in processes running.

:: Update all virus definitions.
Update all your virus definitions for Norton and the like.

:: Update all spyware removal definitions.
Update Ad-Aware and Spybot-SD from their servers.

:: Scan for viruses and adware.
You shouldn’t find much of anything, if anything at all.

:: Reboot the machine.
Everything *should* be okay.

:: Open Internet Explorer and run Windows Update.
Fix that exploit, already, kids.

:: Reboot the machine, normally.
You should have killed Smitfraud properly.

Comments

Paterick

posted 39 years ago

Thank you for your help with the SmitFraud virus, I work for and ISP and I also work on computers and this was a very help informated page, if you ever need some help fell free to email me.

Mircea

posted 39 years ago

Another solution seems to work, also: Restoring Windows XP (I suppose this applies to 2000, too) to a previous restore point.

Best regards,

Mircea

Type a Comment

Incoming Links

There are currently no links incoming to this article.

Article Abstract

Posted 16 April 2005. 831 words.

About Eston

Eston Bond is a 22-year-old interaction designer in California's Silicon Valley. Eston's primary focus is on social media, sociology, economics, human-computer interaction and journalism.

Eston has a BA in Economics from the University of Michigan and is a Product Designer at Facebook in Palo Alto, California. He likes his martinis the real way: with gin. More about Eston…