Threat Description

Rogue: ​W32/SpywareSheriff

Details

Category: Malware
Type: Rogue
Platform: W32
Aliases: Rogue:​W32/SpywareSheriff, Rogue:​W32/SpywareSheriff

Summary


Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Rogue:W32/SpywareSheriff is an rogue antispyware application that uses false and/or misleading scan results and questionable interface design to push the user into purchasing a license. In some cases, Spywaresheriff is advertised by a trojan with a hoax message that the system is unsafe. The trojan, detected as not-virus:Hoax.Win32.VB.l, does not install the antispyware application but simply generates a message that the system is unsafe:

Clicking on the message displayed above will open the computer's web browser to a page from which SpywareSheriff can be downloaded. It is also possible to find, download and install this application without being pushed by a trojan. Search engine results can also lead to the discovery of spywaresheriff.com and a user can decide to install it on their own. The scan results however, will still contain false positives.

Activity

Once installed, SpywareSheriff starts automatically during the boot process and performs a scan for spyware. It then displays the fake results of the scan, saying that the system is infected, as seen in the screenshots below:

The message above was generated on a previously clean system image. Note that the third item listed is telnet.exe, a Microsoft application installed with the Windows Operating System. The first and second items listed in this example are the trojan malware referred to above. The only simple way to close the application is to register for the license, and the license is required for any cleaning of supposedly detected malware. The SpywareSheriff antispyware application itself is not necessarily harmful to the user's computer.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More