SpySheriff

Behaviour
SpySheriff is a misleading application that may give exaggerated reports about potential risks on the computer.

It scans parts of the registry and several system locations in order to detect risks.

The risk displays the following message periodically:



The program may falsely report the presence of risks due to the detection techniques used, such as detection based solely on file names.



The application identifies several false risks, including:

• Trojan VX Downloader
• Trojan VX 12

The program then directs the user to the program's Web site to purchase the full version of the product in order to remove any discovered risks.


Installation
When SpySheriff executes, it creates the following files:

• %ProgramFiles%\SpySheriff\base.avd
• %ProgramFiles%\SpySheriff\base001.avd
• %ProgramFiles%\SpySheriff\base002.avd
• %ProgramFiles%\SpySheriff\found.wav
• %ProgramFiles%\SpySheriff\heur000.dll
• %ProgramFiles%\SpySheriff\heur001.dll
• %ProgramFiles%\SpySheriff\heur002.dll
• %ProgramFiles%\SpySheriff\heur003.dll
• %ProgramFiles%\SpySheriff\IESecurity.dll
• %ProgramFiles%\SpySheriff\notfound.wav
• %ProgramFiles%\SpySheriff\ProcMon.dll
• %ProgramFiles%\SpySheriff\removed.wav
• %ProgramFiles%\SpySheriff\SpySheriff.dvm
• %ProgramFiles%\SpySheriff\SpySheriff.exe
• %ProgramFiles%\SpySheriff\Uninstall.exe
• %UserProfile%\Desktop\SpySheriff.lnk
• %UserProfile%\Start Menu\Programs\SpySheriff.lnk

Next, the following registry subkeys are created:
HKEY_CURRENT_USER\Software\SpySheriff
HKEY_CURRENT_USER\Software\SNO2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySheriff

It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SpySheriff" = "%ProgramFiles%\SpySheriff\SpySheriff.exe"

Summary