Rogue:W32/SpyGuard

Classification

Malware

Rogue

W32

Rogue:W32/SpyGuard, Rogue:W32/spyguard.gen!a, Trojan:ÃƒÆ’Ã†â€™Ãƒâ€ Ã¢â‚¬â„¢ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â‚¬Å¡Ã‚Â¬Ãƒâ€¦Ã‚Â¡ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Â¹Win32/FakeSpyGuard (Microsoft)

Summary

Dishonest antivirus or antispyware software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Technical Details

Rogue:W32/Spyguard is a typical rogueware family. Member of this family pose as a legitimate antivirus or antispyware application, usually by copying the name and/or looks of a legitimate application.Variants in the Spyguard family are also detected with the Generic Detection, Rogue:W32/Spyguard.gen!A.

Activity

Once installed, this program scans the computer system. It then displays fake alert messages indicating the system has been compromised. To fully use the product and/or to enable its disinfection functionality, the user is required to purchase a license. A message notifying the user of the 'infections' will also frequently pop up from the System Tray.

Installation

A typical installation from this rogueware family installs component files in:

%Program Files%\ [Name of Application]

Where [Name of Application] is the name of the legitimate program that the rogueware is pretending to be, for example, Spyware Guard or System Guard.At the same time, the following files are installed in %WinDir%:

reged.exe
spoolsystem.exe
sys.com
syscert.exe
sysexplorer.exe
vmreg.dll

These files are usually backups of clean system files. A file named winscenter.exe is also saved in the %System% folder.Malicious components are then installed in :

%allusers%\Application Data\Microsoft\Internet Explorer\Dlls

Registry

A typical installation from this rogueware family will add the following registry key:

HKEY_LOCAL_MACHINE\Software\Spyware Guard