Rogue:W32/SpyGuard

Summary

Dishonest antivirus or antispyware software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Rogue:W32/Spyguard is a typical rogueware family. Member of this family pose as a legitimate antivirus or antispyware application, usually by copying the name and/or looks of a legitimate application.Variants in the Spyguard family are also detected with the Generic Detection, Rogue:w32/Spyguard.gen!A.

Activity

Once installed, this program scans the computer system. It then displays fake alert messages indicating the system has been compromised. To fully use the product and/or to enable its disinfection functionality, the user is required to purchase a license. A message notifying the user of the 'infections' will also frequently pop up from the System Tray.

Installation

A typical installation from this rogueware family installs component files in:

• %Program Files%\ [Name of Application]

Where [Name of Application] is the name of the legitimate program that the rogueware is pretending to be, for example, Spyware Guard or System Guard.At the same time, the following files are installed in %WinDir%:

• reged.exe
• spoolsystem.exe
• sys.com
• syscert.exe
• sysexplorer.exe
• vmreg.dll

These files are usually backups of clean system files. A file named winscenter.exe is also saved in the %System% folder.Malicious components are then installed in :

• %allusers%\Application Data\Microsoft\Internet Explorer\Dlls

Registry

A typical installation from this rogueware family will add the following registry key:

• HKEY_LOCAL_MACHINE\Software\Spyware Guard