SpySheriff

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, scaring them into buying the program.[4] Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove,[5] since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

Spy Sheriff
SpySheriff interface.
Common nameSpy Sheriff
Technical name
  • SpySheriff Variant
    • Adware.SpySheriff (Symantec)
    • Rogue:W32/SpySheriff(F-Secure)
    • Adware/SpySheriff.[Letter](Fortiguard) [1]
    • Adware-SpySheriff(McAfee)
    • ADW_SPYSHERIFF.[Letter] (Trend Micro)
    • DOWNLOADER_SPYSHERIFF (Trend Micro)
    • FREELOADER_SPYSHERIFF (Trend Micro)
  • BraveSentry Variant
    • Rogue:W32/BraveSentry (F-Secure) [2]
    • VBS_SENTRY.[Letter] (Trend Micro)
    • ADW_BRAVESEN.[Letter] (Trend Micro)
  • Pest Trap Variant
Aliases
  • SpyDawn Variant
  • Alpha Cleaner Variant
  • SpyBouncer Variant
    • Trojan:Win32/Spybouncer (Microsoft)
TypeMalware
SubtypeRogue Software
Author(s)Innovagest 2000
Operating system(s) affectedWindows
DiscontinuedCirca 2009

Other names

SpySheriff is also known by numerous other names, including BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm,[6] VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot. The name SpywareBot is used to confuse them with the legitimate SpyBot anti-spyware software.

Websites

SpySheriff was hosted at both www.spysheriff.com and www.spy-sheriff.com, which operated from 2005 until their shutdown in 2008. Going to these websites now will result in a message saying that this domain is for sale.[7] Several other similarly-named websites also hosted the program, but have all been shut down. Several typosquatted websites also attempted to automatically install SpySheriff, including a fake version of Google.com called Goggle.com. From 2015 Goggle.com, which had changed ownership following a lawsuit by Google, hosted a survey scam and displayed links to Amazon items. In 2017, the domain hosted a blank page, with only the word "goggle" present in its HTML script. At the beginning of 2018, the site redirected to the scam site tango-deg.com, but from October 2018, it has existed as a simple HTML markup with a top-level heading reading "Goggle.com Inc.". In late 2019, the website became a WordPress blog, and it is now down in circa February–March 2020.

Features of a SpySheriff infection

Another version of SpySheriff.
A fake infection warning pop-up.
  • SpySheriff is designed to behave like genuine antispyware software, but its scan results are deliberately false, and are designed to mislead and scare the user.[8][9]
  • Removal attempts may be unsuccessful and SpySheriff may reinstall itself.
  • The desktop background may be replaced with an image resembling a Blue Screen of Death, or a notice reading, "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
  • Attempts to remove SpySheriff via Add or Remove Programs in Control Panel either fails or causes the computer to restart unexpectedly.[10]
  • Attempts to connect to the Internet in any Web browser is blocked by SpySheriff. Spy-Sheriff.com becomes the only accessible website, and can be opened through the program's control panel.
  • Attempts to remove SpySheriff via System Restore are blocked as it prevents the calendar and restore points from loading. Users can overcome this by undoing the previous restore operation, after which the system will restore itself, allowing for easier removal of SpySheriff.[10]
  • SpySheriff can detect certain antispyware and antivirus programs running on the machine, and disable them by ending their processes as soon as it detects them. This may prevent its detection and removal by legitimate antivirus pograms.
  • SpySheriff can disable Task Manager and Registry Editor, preventing the user from ending its active process or removing its registry entries from Windows. Renaming the 'regedit' and 'taskmgr' executables will solve this problem.

See also

References

  1. https://www.fortiguard.com/encyclopedia/virus/68579
  2. https://www.f-secure.com/sw-desc/rogue_w32_bravesentry.shtml
  3. https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/SpyDawn.aspx
  4. "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
  5. "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01.
  6. "SpywareNo!". Retrieved 2009-11-11.
  7. "SunBelt Security Blog". Sunbelt Security. Archived from the original on 2012-03-08. Retrieved 2009-11-01.
  8. "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01.
  9. Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013.
  10. "SpySheriff – CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.