is spy sheriff still spyware? (testing in vm)

Discussion in 'other anti-virus software' started by AH786, Mar 23, 2007.

Thread Status:
Not open for further replies.
  1. AH786

    AH786 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    17
    Hi im doing a mini project for my course and im testing malware in a virtual machine, so I went to spysheriffs main url and downloaded there program.

    I expected it to install loads of files in /windows/system32 and other places.

    However it only installed in program files and when I uninstalled it all traces were removed.

    whats going on, are spysheriff and other smifraud variants able to detect that theyre being run in a virtual environment?

    Or are they not malware any more?

    I would install them on a machine if I had one, but I dont have a spare machine available.

    So thought id ask the experts!
     
  2. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    i am not an expert, but i have witnessed many experts use hijackthis to fix computers on IT sites, and they always remove spy sheriff when it's present.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  4. AH786

    AH786 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    17
    yup, thats why I installed spysheriff on purpose.

    I need to install viruses on VM machines as part of my project.

    However it did not install extra processes or DLL's in system folders.

    And I could uninstall it without leaving any traces.

    As such I need to know if its still malware.

    I would test it myself If I had a spare physical machine or hard disk available but I do not.
     
  5. AH786

    AH786 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    17
    Thanks for the link ronjor.

    I see spysheriff is still listed as malware, I want to know if it still installs executables and DLL's in system folders.

    Last year I had to deal with this infestation on someones PC, as such I thought it would do the same now.

    However in the VM it did not install the extra processes n dlls.

    which makes me think is it different now or does it find out its running in a virtual environment and act safely?
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi. AH786: Just a quick question: how do you uninstall the said app?
     
  7. AH786

    AH786 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    17
    through the start menu program group it creates. i checked the program files and windows folder location after the install and nothing suspicious was present.

    The virtual image was examined externally so what I was seeing was what was actually there.

    I had Sygate firewall installed on the vm, spysheriff did not try to access the internet.

    I find this strange, im not going to install spysheriff on my main PC, I've saw what it can do on normal machines. That was last year though.

    For the purpose of my project though I need to confirm if the way spysheriff acted in my virtual machine is different from how it normally acts.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,AH786: So you said you uninstalled it thru its start menu prog it created. If I read this right, it is its own buillt-in uninstaller. Often this type of subprogram can not, effectively remove all traces. You could run a third party registry cleaner and use registry editor to search its residues. You will be surprised to find some perhaps lots of those left overs. You can also run an anti-spyware scan, such as SuperAntispyware to search any possible traces. No connection w/ outside does not mean no traces at all, it could well be just paralyzed; can not function any more, its presence is still there. Good luck.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Even if it was found to come with a fully functioning uninstaller, it would still be classed as malware if it is being installed against the wishes or knowledge of the user; and if it is using underhand means to trick people into purchasing it (eg false positives and false promises etc).

    If I remember correctly, KAV doesn't have sigs against the installer of this prog (or am I thinking of another similar one?) but it does intercept the trojans that try and drop it. So it is a bit of a fine line as to what is malware. If you voluntarily install it then that is up to you; however if it then starts finding things that aren't there in order to get you to buy it, it would be a rogue at least and probably malware as well.
     
    Last edited: Mar 23, 2007
  10. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    i also found that the application itself is clean from a malware point of view. the trojan that makes those advertisments is something different then the application you download from the main webpage.

    however due to the false advertising this application is classified as ruge and is not trustworty.
     
  11. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Perhaps the main program does not act as spyware. The spyware is the software that install itself using exploits and "warn" the user about the infection and opens one of the pages of Spy Sheriff when the user click the tray icon.
     
  12. JeffBuck

    JeffBuck Registered Member

    Joined:
    Mar 13, 2007
    Posts:
    32
    As other people say, it's difficult to define what is a spywware is ...
    anyway SpySheriff is still a malaware because :

    I monitorize the installation of SpySheriff (with Tiny Watcher, Log Monitor, Sentinel 2) and the latest version come on my PC with the sequent major entry (see first image).

    After a scan with SpySheriff I get an excessive warning (see image 2).

    It find a good number of entris (seven) classified as SEVERE (or high or very high risk) ... see image 3 attached here.

    But, controlling that entries deeper I know they are not dangerous ...
    example in my case:
    Registry: Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Value: NoActiveDesktop
    :D
    Registry: Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
    Value: DisableTaskMgr
    :D
    C:\Programmi\K-Meleon\readme.html
    :D
    and others like these.

    Unistalling SpySheriff with windows tool msxml4 xxx . dll remain in system32 folder, and also some registry entry in software key, but like nearly all software that you install :)

    I hope this can be useful to answer your question ;)
     

    Attached Files:

  13. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    the files
    msxml4r.dll
    msxml4a.dll
    msxml4.dll

    are windows components that belong to the xml parser.
     
  14. AH786

    AH786 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    17
    Thank you jeff and everyone else.

    Seems that it acts the same was as it did for jeff, I was under the impression that it would install dlls and executables, this was not the case.
     
  15. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    That's the difference between installing SpySheriff and having a Trojan doing it for you.

    Many people mistake the (Zlob) Trojan's actions with those from SpySperiff itself.

    Things get interesting when you register SpySheriff - the false alarms will be gone. Things get really interesting when you do a scan and find out that it can actually detect some malware.

    No, I'm not kidding. My VirusBulletin presentation last year was on this topic.
     
  16. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    so spy sherriff just tells a user they have malware, just to purchase it ...

    then when registered, it works as a normal product? *lol*

    whats its detection-rate like when compared to similar products? :shifty:
     
  17. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    hey its like spyware doctor then they have fp's in the scan but no clean version but when you buy it it then works like a proper scanning and detects really nasties
    lodore
     
Loading...
Thread Status:
Not open for further replies.