SpySheriff
SpySheriff, also known as Brave Sentry, Pest Trap, SpyTrooper,[1] Spywareno, and MalwareAlarm,[2] is malware that disguises itself as an anti-spyware program. SpySheriff attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system.[3] It is very difficult to remove SpySheriff from machines,[4] since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed if the user has anti-malware tools on the machine, or owns a rescue disk.
Websites
SpySheriff used to be hosted at www.spy-sheriff.com from 2005 to late 2008 and is now defunct. [5] Several typosquatted websites have also attempted to automatically install SpySheriff, including a version of Google.com (Goggle.com), and MCreator, a program used to make mods for Minecraft. As of 2007, these sites are no longer active.
Problems caused by SpySheriff
- SpySheriff reports false malware infections and pretends to detect real malware infections.[1][6]
- Attempts to remove SpySheriff have been reported to be unsuccessful as SpySheriff will reinstall itself.
- The desktop background may be replaced with an image resembling a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
- Going to add/remove programs to remove SpySheriff either causes the computer to crash or does not remove all components.[7]
- Any attempt to connect to the Internet via a web browser is blocked by SpySheriff, which replaces the user's desktop background with a blue warning screen saying that the system has been stopped to protect the user from spyware.
- SpySheriff stops any attempt to do a system restore by causing the calendar and restore points to not load. This causes the user to be unable to revert their computer to an earlier state. A loop hole has been discovered, in that if the user undoes the last restore operation, the system will restore itself, allowing a chance to remove SpySheriff.[7]
- SpySheriff can detect certain running anti-spyware and anti-virus programs and disable them by ending their processes as soon as it detects them, preventing it's detection and removal by these programs as long as it is active on the system.
- SpySheriff can disable the taskmgr or regedit tools that a user may attempt to bring up to end its active process or to remove its registry entries from Windows. Renaming the regedit and taskmgr executables will fool it, however.
See also
References
- ↑ 1.0 1.1 "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01.
- ↑ "SpywareNo!". Retrieved 2009-11-11.
- ↑ "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
- ↑ "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01.
- ↑ "SunBelt Security Blog". Sunbelt Security. Retrieved 2009-11-01.
- ↑ Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Retrieved 27 July 2013.
- ↑ 7.0 7.1 "SpySheriff - CA". CA. Retrieved 2009-11-01.