SpySheriff

"SpywareBot" redirects here; not to be confused with Spybot – Search & Destroy.

SpySheriff
Technical name	SpySheriff Variant Adware.SpySheriff (Symantec) Rogue:W32/SpySheriff(F-Secure) Adware/SpySheriff.[Letter](Fortiguard) [1] Adware-SpySheriff(McAfee) ADW_SPYSHERIFF.[Letter] (Trend Micro) DOWNLOADER_SPYSHERIFF (Trend Micro) FREELOADER_SPYSHERIFF (Trend Micro) BraveSentry Variant Rogue:W32/BraveSentry (F-Secure) [2] VBS_SENTRY.[Letter] (Trend Micro) ADW_BRAVESEN.[Letter] (Trend Micro) Pest Trap Variant ADW_PESTTRAP.[Letter] (Trend Micro)
SpySheriff interface
Alias	SpyDawn Variant FraudTool.Win32.SpyHeal.a (Sophos) [3] Alpha Cleaner Variant Program:Win32/AlfaCleaner (Microsoft) SpyBouncer Variant Trojan:Win32/Spybouncer (Microsoft)
Type	Malware
Subtype	Rogue Software
Authors	Innovagest 2000
Technical details
Platform	Windows
Discontinued	2008

SpySheriff ^[a] (also known as BraveSentry 2.0, among other names) was malware that disguised itself as anti-spyware software created by Innovative Marketing Inc. or under alternate name Innovagest 2000. It attempted to mislead the user with false security alerts, threatening them into buying the program. ^[4] Like other rogue antiviruses, after producing a list of false threats, it prompted the user to pay to remove them. The software was particularly difficult to remove, ^[5] since it nested its components in System Restore folders, and also blocked some system management tools. However, SpySheriff could be removed by an experienced user, antivirus software, or by using a rescue disk.

Websites

SpySheriff was hosted at both www.spysheriff.com and www.spy-sheriff.com, ^{[6] [ self-published source ]} which operated from 2005 until their shutdown in 2008.^{[ citation needed ]} Both domains are now parked. Several other similarly-named websites also hosted the program but have all been shut down.

Features of a SpySheriff infection

• SpySheriff was designed to behave like genuine antispyware software. Its user interface featured a progress bar and counted allegedly found threats, but its scan results were deliberately false, with cryptic names such as "Trojan VX …" to mislead and scare the user. ^{[7] [8]}
• Removal attempts in some cases were unsuccessful because SpySheriff could reinstall itself.^{[ citation needed ]}
• The desktop background sometimes was replaced with an image resembling a Blue Screen of Death, or a notice reading, "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged." ^[9]
• Attempts to remove SpySheriff via Add or Remove Programs in Control Panel either failed or caused the computer to restart unexpectedly. ^[10]
• Attempts to connect to the Internet in any Web browser was blocked by SpySheriff. Spy-Sheriff.com became the only accessible website, and could be opened through the program's control panel.^{[ citation needed ]}
• Attempts to remove SpySheriff via System Restore were blocked as it prevents the calendar and restore points from loading. Users could overcome this by undoing the previous restore operation, after which the system will restore itself, allowing for easier removal of SpySheriff. ^[10]
• SpySheriff could detect certain antispyware and antivirus programs running on the machine, and disable them by ending their processes as soon as it detected them. This prevented its detection and removal by legitimate antivirus programs.^{[ citation needed ]}
• SpySheriff could disable Task Manager and Registry Editor, preventing the user from ending its active process or removing its registry entries from Windows. By renaming the 'regedit' and 'taskmgr' executables users could solve this problem.^{[ citation needed ]}

See also

• Rogue security software
• Trojan horse (computing)

Notes

1. Also known by around thirty other names, including BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot. The name SpywareBot is used to confuse them with the legitimate SpyBot anti-spyware software.

References

1. "Fortiguard". 2005-09-21. Archived from the original on 2022-08-19. Retrieved 2023-08-17.
2. "Rogue:W32/BraveSentry Description". F-Secure Labs. Archived from the original on 2023-05-21. Retrieved 2023-08-17.
3. "SpyDawn - Adware and PUAs". sophos.com. Archived from the original on 2021-08-28. Retrieved 2023-08-17.
4. "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
5. "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Archived from the original on 19 January 2006. Retrieved 2009-11-01.
6. "SunBelt Security Blog". Sunbelt Security. Archived from the original on 2012-03-08. Retrieved 2009-11-01.
7. "SpySheriff Technical Details". Symantec. Archived from the original on 6 August 2011. Retrieved 2009-11-01.
8. Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013.
9. "2005 blog post discussing Spysheriff". Bleeping computer. Retrieved 2 February 2025.
10. "SpySheriff – CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01.

External links

• Spy Sheriff Website at the Wayback Machine (archive index) (Note, the online installer does not work due to the payload of the installer being taken down alongside the website.)
• Spy Sheriff Alternate Website at the Wayback Machine (archive index)
• http://www.bleepingcomputer.com/forums/topic22402.html
• Encyclopedia entry: Program:Win32/SpySheriff at the Wayback Machine (archived 2012-04-01)