1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AdwareSheriff Activity

HTTP AdwareSheriff Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of the misleading application AdwareSheriff.

Additional Information

AdwareSheriff is a security risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

When AdwareSheriff is installed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\AdwareSheriff\asheriff.exe
* %ProgramFiles%\AdwareSheriff\asheriff.url
* %ProgramFiles%\AdwareSheriff\bz.dll
* %ProgramFiles%\AdwareSheriff\interface\English.lng
* %ProgramFiles%\AdwareSheriff\interface\Italiano.lng
* %ProgramFiles%\AdwareSheriff\pkill.exe
* %ProgramFiles%\AdwareSheriff\sounds\crit.wav
* %ProgramFiles%\AdwareSheriff\unins000.dat
* %ProgramFiles%\AdwareSheriff\unins000.exe
* C:\Documents and Settings\All Users\Start Menu\Programs\AdwareSheriff\AdwareSheriff on the Web.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\AdwareSheriff\AdwareSheriff.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\AdwareSheriff\Uninstall AdwareSheriff.lnk
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdwareSheriff Antispyware.lnk
* %UserProfile%\Desktop\AdwareSheriff.lnk
* %UserProfile%\Local Settings\Application Data\AdwareSheriff\DB - This folder contains numerous files.
* %UserProfile%\Local Settings\Application Data\AdwareSheriff\Logs - This folder contains numerous [Random].log files
* %UserProfile%\Local Settings\Application Data\AdwareSheriff\Quarantine - This folder contains items that are Quarantined by the risk.

Notes:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdwareSheriff_is1
HKEY_ALL_USERS\Software\ADV
HKEY_ALL_USERS\Software\AdwareSheriff

3. Gives exaggerated reports of threats present on the computer. The user is then prompted to purchase a registered version of the software in order to remove the reported threats

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
4. Delete the files and folders created by the risk.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube