Jump to content

SpySheriff

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by MrWLG (talk | contribs) at 18:48, 23 August 2018 (Grammar fix). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

SpySheriff interface.

SpySheriff, also known as Brave Sentry, SpyDawn, SpywareBot, SpyAxe, SpywareSheriff, Pest Trap, SpyTrooper,[1] Spywareno, and MalwareAlarm,[2] is malware that disguises itself as an anti-spyware program, which attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system.[3] The software is particularly difficult to remove from machines,[4] since it nests its components in System Restore folders, and also blocks some system management tools. Compared to most rogue antiviruses, SpySheriff prompts the user to register when an attempt to "Remove found threats" is made. However, SpySheriff can be removed if the user already has anti-malware tools on the machine, or, if not sufficient, owns a rescue disk. After the creators of SpySheriff knew that SpySheriff was known as malware, they released more programs similar to SpySheriff, such as Brave Sentry, SpyDawn, SpywareBot, SpyAxe, SpywareSheriff, Pest Trap, SpyTrooper,[1] Spywareno, and MalwareAlarm, each with a slightly different interface.

Websites

SpySheriff was formerly hosted at www.spy-sheriff.com, which operated from 2005 until it was shut down in 2008.[5] Several typosquatted websites have also attempted to automatically install SpySheriff, including a fake version of Google.com (called Goggle.com), or spysherrif.com. Also, websites named after the alternative names of Spysheriff also hosted it before they too were shut down. As of 2015, Goggle.com, which had changed ownership due to a lawsuit by Google, was a survey scam. The website displayed links to Amazon.com items but as of 2017 the domain is no longer accessible as there is nothing on its HTML data other than the word "goggle". However, as of 2018, the site redirected to the scam site tango-deg.com.

Known symptoms caused by SpySheriff

File:Spysheriff1.png
Another version of SpySheriff.
File:SpySheriffPopUp.png
A fake infection warning pop-up.
  • SpySheriff reports fake malware infections and impersonates itself to detect real malware infections.[1][6]
  • Attempts to remove SpySheriff have been reported to be unsuccessful as SpySheriff will reinstall itself.
  • The desktop background may be replaced with an image resembling a Blue Screen of Death, or a notice reading, "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
  • Attempts to remove SpySheriff via the Add or Remove Programs control panel either causes the computer to restart unexpectedly or does not remove all components.[7]
  • Attempts to connect to the Internet in any web browser is blocked by SpySheriff, which replaces the user's desktop background with a blue warning screen saying that the system has been stopped to protect the user from spyware. Spy-Sheriff.com is the only accessible website than can be opened through the program's control panel.
  • Attempt to remove SpySheriff via a System Restore is blocked, via causing the calendar and restore points to not load. Because of this, users cannot restore their system to an earlier state. However, a loophole has been discovered, in that if the user undoes the last restore operation, the system will restore itself, allowing a chance to remove SpySheriff.[7]
  • SpySheriff can detect certain antispyware and antivirus programs running on the machine, and disable them by ending their processes as soon as it detects them, thus preventing its detection and removal by these programs as long as it is active on the system.
  • SpySheriff can disable the Task Manager and Registry Editor tools to keep the user from ending its active process or removing its registry entries from Windows. Renaming the 'regedit' and 'taskmgr' executables will fool it, however.

See also

References

  1. ^ a b c "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01.
  2. ^ "SpywareNo!". Retrieved 2009-11-11.
  3. ^ "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
  4. ^ "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01.
  5. ^ "SunBelt Security Blog". Sunbelt Security. Retrieved 2009-11-01.
  6. ^ Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013. {{cite news}}: Italic or bold markup not allowed in: |newspaper= (help); Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  7. ^ a b "SpySheriff - CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)