1. /
  2. Security Response/
  3. SpywareProtect2009

SpywareProtect2009

Updated:
January 23, 2010 1:13:48 AM
Type:
Misleading Application
Name:
Spyware Guard 2009
Publisher:
Magic Software, Inc.
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows Server 2003, Windows Vista, Windows XP
Behavior
The program must be manually installed.





The program reports false or exaggerated system security threats on the computer.





Fake names:
  • Advanced Stealth Email Redirector 6.2
  • Antivirus360
  • Autorun.AOL
  • Azero.B
  • Backdoor.Win32.Small.x
  • Bancos DMD
  • BankerFox.A
  • Best search
  • BitTera.C
  • CNNIC Update U
  • CPush
  • DisableKey
  • Downloader.JS.Agent.sg
  • Downloader.JS.Small.fi
  • Downloader.Win32.Braidupdate.c
  • Downloader.Win32.Delf.cgx
  • Downloader_Win32_Agent.nmi
  • Edge Tech
  • Emogen.B
  • GameThief.Win32.OnLineGames.tnys
  • LdPinch V
  • MoonLight.V
  • P2PShared.U
  • PSW.Win32.OnLineGames.rlh
  • PSW.Win32.OnLineGames.sxa
  • Sality.AN
  • SillyDl BCL
  • Sinowal.VXR
  • VMalum AWS
  • Win32.Grams.I
  • Win32/Nuqel.E
  • Win32/Wadnock
  • WinWebSecurity2008
  • Zlob AN


The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following file:
%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[RANDOM CHARACTERS]\sysguard.exe

Next, the program creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[RANDOM CHARACTERS]\sysguard.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[RANDOM CHARACTERS]\sysguard.exe"


It also modifies the following registry entries:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "yes"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\"JITDebug" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\"SaveZoneInformation" = "1"


The program then creates the following registry subkey:
HKEY_CURRENT_USER\Software\AvScan

Next, it deletes the following registry subkey, which may affect Internet settings:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyServer
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver