SpySheriff

SpySheriff interface.

SpySheriff, also known as Brave Sentry, Pest Trap, SpyTrooper,^[1] and SpywareNo,^[2] is malware that disguises itself as an anti-spyware program. SpySheriff attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system.^[3] SpySheriff is difficult to remove from an infected computer;^[4] attempting to remove it using the "Add/Remove Programs" applet in control panel does not remove all components,^[5] and SpySheriff's components may be in the System Restore folders.^[6] However, SpySheriff can easily be removed using anti-malware tools.^[7]

Websites

SpySheriff used to be hosted at www.spy-sheriff.com. However, this website is now defunct.^[8] Several typosquatted websites also attempted to automatically install SpySheriff, including a version of Google.com (Goggle.com). As of 2007, these sites are no longer active.

Problems caused by SpySheriff

Another version of SpySheriff.

A fake infection warning pop-up.

• SpySheriff reports false malware infections and uses poor heuristics to detect real malware infections.^[1]
• Attempts to remove SpySheriff are useless and have been reported to be unsuccessful as it re-installs automatically.
• The desktop background may be replaced with an image resembling a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged.".
• Going to add/remove causes it to crash, obviously intended to stop any attempt to take out any of Spysheriff's drivers.
• Any attempt to connect to the internet via a web browser is blocked by Spysheriff, which replaces your desktop background with a menacingly blue warning screen telling you the system has been stopped to protect you from Spyware: an obvious hint of the program's true nature.
• Perhaps the most dangerous feat of Spysheriff, is that it attempts to stop any attempt to do a system restore by causing the calendar and restore points to not load. This causes the user to be unable to revert their computer to an earlier state. A loop hole has been discovered, however, in that if you undo your last restore operation, the system will successfully restore itself allowing you a chance to be rid of Spysheriff.^[5]

See also

• Rogue security software
• Trojan horse (computing)

References

1. ^ "SpySheriff Technical Details". Symantec. http://subsync.symantec.com/security_response/writeup.jsp?docid=2005-122910-4625-99&tabid=2. Retrieved 2009-11-01. 
2. "SpywareNo!". http://www.spywareguide.com/product_show.php?id=2136. Retrieved 2009-11-11. 
3. "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. http://www.zdnetasia.com/news/security/0,39044215,39310016,00.htm. Retrieved 2009-11-01. 
4. "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. http://blogs.zdnet.com/Spyware/?p=727. Retrieved 2009-11-01. 
5. ^ "SpySheriff - CA". CA. http://www.ca.com/securityadvisor/pest/pest.aspx?id=453096400. Retrieved 2009-11-01. 
6. "Persistent Malware: Microsoft's System Restore Feature". CA. http://community.ca.com/blogs/securityadvisor/archive/2008/11/05/persistent-malware-microsoft-s-system-restore-feature.aspx. Retrieved 2009-11-01. 
7. "PestTrap removal instructions". spywareremove.com. http://www.spywareremove.com/removePestTrap.html. Retrieved 2009-11-01. 
8. "SunBelt Security Blog". Sunbelt Security. http://sunbeltblog.blogspot.com/2005/10/sleazy-install-of-week.html. Retrieved 2009-11-01. 

External links

• http://www.bleepingcomputer.com/forums/topic22402.html
• http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Program%3aWin32%2fSpySheriff