Trojan.Fakesafe
Posted: May 20, 2013
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 5 |
| First Seen: | May 20, 2013 |
|---|---|
| Last Seen: | March 29, 2021 |
| OS(es) Affected: | Windows |
Trojan.Fakesafe or TROJ_FAKESAFE.SMA is a backdoor Trojan that allows unauthorized control over your computer on behalf of criminals with functions potentially including installing other malware, stealing passwords from popular applications and sending/receiving information from a remote Command & Control server. Unlike most kinds of malware, which are distributed in a general and untargeted way, Trojan.Fakesafe is distributed through targeted attacks against specific companies and government agencies. SpywareRemove.com malware experts warn any likely victims of Trojan.Fakesafe's attack campaign to be careful about unusual e-mail messages, which can be used to install Trojan.Fakesafe through a Microsoft Office exploit. Since Trojan.Fakesafe is a high-level threat that will be installed with several other PC threats, deleting Trojan.Fakesafe also should use a qualified anti-malware product.
Trojan.Fakesafe: Making the Internet Unsafe with Pretensions of Doing the Opposite
Trojan.Fakesafe, part of the Safenet attack campaign (unrelated, it must be stressed, to the PC security company of the same name), uses multiple misleading file names to make its intentions seem more benevolent than they really are. Components like 'SafeCredential.DAT' (Trojan.Fakesafe's configuration file) and similar files are designed to look harmless, but actually include backdoor functions that can allow criminals to control your computer.
Trojan.Fakesafe's infection vectors consist of targeted e-mail attacks that distribute separate Trojans. These Trojans are installed through a Microsoft Office exploit that allows the triggering of system state corruption through specially-crafted documents (and, in other cases, malicious websites). SpywareRemove.com malware experts warn that the following versions of Office are vulnerable to this attack, which installs Trojan.Fakesafe without your consent as soon as the Trojan-disguised-as-a-document is opened: 2003 SP3, 2007 SP2, 2007 SP3, 2010 Gold and SP1.
Once its various files are installed on your computer, Trojan.Fakesafe makes contact with a remote server. SpywareRemove.com malware experts haven't yet discerned the major goals behind Trojan.Fakesafe's attack campaign, but can point to major functions – such as Trojan.Fakesafe's utilization of a tool for stealing any Internet Explorer or Firefox-stored passwords – that make Trojan.Fakesafe a considerable danger to your PC's privacy. Remote Desktop Protocol or RDP credentials also may be stolen.
Real PC Safety to Deal with a Fake 'Safe' Program
Trojan.Fakesafe's attacks have been seen in a diverse spread of regions, from the US and Canada to India and Vietnam. Employees and workers at industries that are likely to be targeted by Trojan.Fakesafe's e-mail attacks should be cautious about opening unusual e-mail attachments for Microsoft Office, and always should keep their software updated to minimize any exploited vulnerabilities. Competent anti-malware programs should be able to detect the malicious nature of files that install Trojan.Fakesafe, such as Trojan.Mdropper and Trojan.Dropper, before Trojan.Fakesafe is installed – provided that you scan the files before you open them.
Trojan.Fakesafe may aim to compromise your PC and allow criminals to gain access to confidential information on it, but Trojan.Fakesafe's attacks aren't tied to any specific symptoms. SpywareRemove.com malware experts warn that you only should expect to be able to detect a Trojan.Fakesafe infection with appropriate anti-malware products, which also should be able to handle removing Trojan.Fakesafe when it's needed.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%ProgramFiles%\Internet Explorer\SafeNet\SafeExt.dll
File name: %ProgramFiles%\Internet Explorer\SafeNet\SafeExt.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%Temp%\SafeNet\SafeExt.dll
File name: %Temp%\SafeNet\SafeExt.dllMime Type: unknown/dll
Group: Malware file
%Temp%\SafeNet\SafeExt.org
File name: %Temp%\SafeNet\SafeExt.orgMime Type: unknown/org
Group: Malware file
%Temp%\SafeNet\SafeCredential.DAT
File name: %Temp%\SafeNet\SafeCredential.DATFile type: Data file
Mime Type: unknown/DAT
Group: Malware file
%ProgramFiles%\Internet Explorer\SafeNet\SafeCredential.DAT
File name: %ProgramFiles%\Internet Explorer\SafeNet\SafeCredential.DATMime Type: unknown/DAT
Group: Malware file
%Temp%\_Rm.bat
File name: %Temp%\_Rm.batFile type: Batch file
Mime Type: unknown/bat
Group: Malware file
%Temp%\SafeNet\kernel.dat
File name: %Temp%\SafeNet\kernel.datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
smcs.exe
File name: smcs.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Registry Modifications
HKEY..\..\{Value}HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SuperExtender\"(Default)" = "{B0597F7E-06FF-4A31-9C2C-11483CE7F30E}"HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SuperExtender\"(Default)" = "{B0597F7E-06FF-4A31-9C2C-11483CE7F30E}"HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\SuperExtender\"(Default)" = "{B0597F7E-06FF-4A31-9C2C-11483CE7F30E}"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{B0597F7E-06FF-4A31-9C2C-11483CE7F30E}" = "QuickOpen ContextMenu Extension"HKEY_CLASSES_ROOT\CLSID\{B0597F7E-06FF-4A31-9C2C-11483CE7F30E}\InprocServer32\"(Default)" = "%ProgramFiles%\Internet Explorer\SafeNet\SafeExt.dll"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.