SpySheriff

SpySheriff
SpySheriff
Technical name	SpySheriff Variant Adware.SpySheriff (Symantec); Rogue:W32/SpySheriff(F-Secure); Adware/SpySheriff.[Letter](Fortiguard) ; Adware-SpySheriff(McAfee); ADW_SPYSHERIFF.[Letter] (Trend Micro); DOWNLOADER_SPYSHERIFF (Trend Micro); FREELOADER_SPYSHERIFF (Trend Micro); ; BraveSentry Variant Rogue:W32/BraveSentry (F-Secure) ; VBS_SENTRY.[Letter] (Trend Micro); ADW_BRAVESEN.[Letter] (Trend Micro); ; Pest Trap Variant ADW_PESTTRAP.[Letter] (Trend Micro); ;
	SpySheriff interface
Alias	SpyDawn Variant FraudTool.Win32.SpyHeal.a (Sophos) ; ; Alpha Cleaner Variant Program:Win32/AlfaCleaner (Microsoft); ; SpyBouncer Variant Trojan:Win32/Spybouncer (Microsoft); ;
Type	Malware
Subtype	Rogue Software
Authors	Innovagest 2000
Technical details
Platform	Windows
Discontinued	2008

Last updated July 14, 2024

SpySheriff^{[lower-alpha 1]} (also known as BraveSentry 2.0 among other names) is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program.^[4] Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove,^[5]^{[ self-published source ]} since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

Websites

SpySheriff was hosted at both www.spysheriff.com and www.spy-sheriff.com,^[6]^{[ self-published source ]} which operated from 2005 until their shutdown in 2008.^{[ citation needed ]} Both domains are now parked. Several other similarly-named websites also hosted the program but have all been shut down.

Features of a SpySheriff infection

A fake infection warning pop-up SpySheriffPopUp.png — A fake infection warning pop-up

SpySheriff is designed to behave like genuine antispyware software. Its user interface features a progress bar and counts allegedly found threats, but its scan results are deliberately false, with cryptic names such as "Trojan VX …" to mislead and scare the user.^[7]^[8]
Removal attempts may be unsuccessful and SpySheriff may reinstall itself.^{[ citation needed ]}
The desktop background may be replaced with an image resembling a Blue Screen of Death, or a notice reading, "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."^{[ citation needed ]}
Attempts to remove SpySheriff via Add or Remove Programs in Control Panel either fails or causes the computer to restart unexpectedly.^[9]
Attempts to connect to the Internet in any Web browser is blocked by SpySheriff. Spy-Sheriff.com becomes the only accessible website, and can be opened through the program's control panel.^{[ citation needed ]}
Attempts to remove SpySheriff via System Restore are blocked as it prevents the calendar and restore points from loading. Users can overcome this by undoing the previous restore operation, after which the system will restore itself, allowing for easier removal of SpySheriff.^[9]
SpySheriff can detect certain antispyware and antivirus programs running on the machine, and disable them by ending their processes as soon as it detects them. This may prevent its detection and removal by legitimate antivirus programs.^{[ citation needed ]}
SpySheriff can disable Task Manager and Registry Editor, preventing the user from ending its active process or removing its registry entries from Windows. Renaming the 'regedit' and 'taskmgr' executables will solve this problem.^{[ citation needed ]}

Notes

↑ Also known by numerous other names, including BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot. The name SpywareBot is used to confuse them with the legitimate SpyBot anti-spyware software.

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows. Dating back to the first Adwares in 2000, Spybot scans the computer hard disk and/or RAM for malicious software.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">CA Anti-Spyware</span> Spyware detection program

CA Anti-Spyware is a spyware detection program distributed by CA, Inc. Until 2007, it was known as PestPatrol.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

Adaware, previously known as Lavasoft, is a software development company that produces spyware and malware detection software, including Adaware. It operates as a subsidiary of Avanquest, a division of Claranova.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

MacSweeper is a rogue application that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland-based computer security software company, on January 17, 2008.

MonaRonaDona is a browser hijacker that uses unique tactics through popups or alert messages stating that you are infected with a virus. It uses this message to send users on a hunt for a MonaRonaDona remedy only to run into other malicious websites.

Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

SUPERAntiSpyware is a software application which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect various types of malware, SUPERAntiSpyware is not designed to replace antivirus software.

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

References

↑ "Fortiguard". 2005-09-21. Archived from the original on 2022-08-19. Retrieved 2023-08-17.
↑ "Rogue:W32/BraveSentry Description". F-Secure Labs. Archived from the original on 2023-05-21. Retrieved 2023-08-17.
↑ "SpyDawn - Adware and PUAs". sophos.com. Archived from the original on 2021-08-28. Retrieved 2023-08-17.
↑ "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
↑ "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Archived from the original on 19 January 2006. Retrieved 2009-11-01.
↑ "SunBelt Security Blog". Sunbelt Security. Archived from the original on 2012-03-08. Retrieved 2009-11-01.
↑ "SpySheriff Technical Details". Symantec. Archived from the original on 6 August 2011. Retrieved 2009-11-01.
↑ Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013.
1 2 "SpySheriff – CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01.

External links

Spy Sheriff Website at the Wayback Machine (archive index)(note, the online installer does not work due to the payload of the installer being taken down when the website was)
Spy Sheriff Alternate Website at the Wayback Machine (archive index)
http://www.bleepingcomputer.com/forums/topic22402.html
Encyclopedia entry: Program:Win32/SpySheriff at the Wayback Machine (archived 2012-04-01)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[4] Also known by numerous other names, including BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot. The name SpywareBot is used to confuse them with the legitimate SpyBot anti-spyware software.

[1] "Fortiguard". 2005-09-21. Archived from the original on 2022-08-19. Retrieved 2023-08-17.

[2] "Rogue:W32/BraveSentry Description". F-Secure Labs. Archived from the original on 2023-05-21. Retrieved 2023-08-17.

[3] "SpyDawn - Adware and PUAs". sophos.com. Archived from the original on 2021-08-28. Retrieved 2023-08-17.

[winampflaw-5] "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.

[ZDNet10-6] "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Archived from the original on 19 January 2006. Retrieved 2009-11-01.

[SunBeltBlog-7] "SunBelt Security Blog". Sunbelt Security. Archived from the original on 2012-03-08. Retrieved 2009-11-01.

[SymantecTech-8] "SpySheriff Technical Details". Symantec. Archived from the original on 6 August 2011. Retrieved 2009-11-01.

[AAA-9] Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013.

[CA-10] 1 2 "SpySheriff – CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01.

[1]

[2]

[3]

[lower-alpha 1]

[4]

[5]

[6]

[7]

[8]

[9]