Attention: We have transitioned to a new AAD or
Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at
Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Provide feedback
Send us feedback
Tell us about your experience
Submit feedback
Thank you for your feedback
Published Sep 12, 2006
|
Updated Jul 11, 2017
Rogue:Win32/SpySheriff
Detected by Microsoft Defender Antivirus
Aliases:
Win32.TrojanDownloader.IEDefender (Ad-Aware)
MagicAntiSpy (Sunbelt Software)
Adware.SpySheriff (Symantec)
SpyShredder (Symantec)
IEDefender (other)
Malware Destructor (other)
SpySheriff (other)
SpyShredder (other)
Zinaps7 (other)
Zinaps 2008 (other)
BraveSentry (other)
DiaRemover (other)
MalwareAlarm (other)
Mr. Antispy (other)
PestTrap (other)
PestWiper (other)
SpyTrooper (other)
SpyDemolisher (other)
SpyMarshal (other)
Summary
SpySheriff may be installed without user consent, and may then display a dialog box suggesting malware has been found, and prompting the user to buy software to remove the malware that doesn't exist. SpySheriff may download and install program updates without notifying the user.
What to do now
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Technical information
Threat behavior
Installation
SpySheriff might have different product names, including but not limited to:
BraveSentry
DiaRemover
MalwareAlarm
Mr. Antispy
PestTrap
PestWiper
SpyDemolisher
SpyMarshal
SpyShredder
SpyTrooper
Zinaps2008
Zinaps7
It makes the following changes, based on what product name it uses:
BraveSentry
Drops the following files under %ProgramFiles% \BraveSentry :
bravesentry.exe
bravesentry.lic
bravesentry0.bs
bravesentry1.bs
bravesentry0.dll
bravesentry1.dll
bravesentry2.dll
bravesentry3.dll
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\BraveSentry
HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\BraveSentry
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "BraveSentry "
Adds a BraveSentry shortcut on your desktop, and on under <start menu> > All Programs > BraveSentry
DiaRemover
Drops the following files under %ProgramFiles% \DiaRemover :
base001.avd
base.avd
Diaremover.dvm
DiaRemover.exe
found.wav
heur000.dll
heur001.dll
heur002.dll
IESecurity.dll
notfound.wav
ProcMon.dll
removed.wav
Uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\DiaRemover
HKCU\Software\SNO
HKLM\Software\Microsoft\Windows\currentversion\uninstall\DiaRemover
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "DiaRemover "
Adds a DiaRemover shortcut on your desktop, and on under <start menu> > All Programs > DiaRemover
MalwareAlarm
Drops the following files under %ProgramFiles% \MalwareAlarm :
malwarealarm.exe
malwarealarm.lic
malwarealarm0.dll
malwarealarm1.dll
malwarealarm2.dll
malwarealarm3.dll
malwarealarm0.ma
malwarealarm1.ma
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\MalwareAlarm
HKCU\Software\BraveSentry
HKLM\Software\Microsoft\Windows\currentversion\uninstall\MalwareAlarm
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "MalwareAlarm "
Adds a MalwareAlarm shortcut on your desktop, and on under <start menu> > All Programs > MalwareAlarm
Mr AntiSpy
Drops the following files under %ProgramFiles% \MrAntispy :
MrAntispy0.dll
MrAntispy0.ms
MrAntispy1.dll
MrAntispy1.ms
MrAntispy2.dll
MrAntispy3.dll
MrAntispy.exe
MrAntispy.lic
MrAntispy.ms
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\MrAntispy
HKLM\Software\Microsoft\Windows\currentversion\uninstall\MrAntispy
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "MrAntispy "
Adds a MrAntispy shortcut on your desktop, and on under <start menu> > All Programs > MrAntispy
PestTrap
Drops the following files under %ProgramFiles% \PestTrap :
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
PestTrap.dvm
PestTrap.exe
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\PestTrap
HKLM\Software\Microsoft\Windows\currentversion\uninstall\Pest Trap
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "PestTrap "
Adds a PestTrap shortcut on your desktop, and on under <start menu> > All Programs > PestTrap
PestWiper
Drops the following files under %ProgramFiles% \PestWiper :
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
PestWiper.dvm
PestWiper.exe
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\PestWiper
HKLM\Software\Microsoft\Windows\currentversion\uninstall\Pest Wiper
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "PestWiper "
Adds a PestWiper shortcut on your desktop, and on under <start menu> > All Programs > PestWiper
SpyMarshal
Drops the following files under %ProgramFiles% \SpyMarshal :
SpyMarshal0.dll
SpyMarshal0.sm
SpyMarshal1.dll
SpyMarshal1.sm
SpyMarshal2.dll
SpyMarshal3.dll
SpyMarshal.exe
SpyMarshal.lic
Uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\SpyMarshal
HKLM\Software\Microsoft\Windows\currentversion\uninstall\SpyMarshal
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SpyMarshal "
Adds a SpyMarshal shortcut on your desktop, and on under <start menu> > All Programs > SpyMarshal
SpySheriff
Drops the following files under %ProgramFiles% \SpySheriff :
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
SpySheriff.dvm
SpySheriff.exe
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\SpySheriff
HKLM\Software\Microsoft\Windows\currentversion\uninstall\SpySheriff
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SpySheriff "
Adds a SpySheriff shortcut on your desktop, and on under <start menu> > All Programs > SpySheriff
SpyTrooper
Drops the following files under %ProgramFiles% \SpyTrooper :
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
SpyTrooper.dvm
SpyTrooper.exe
uninstall.exe
Changes the registry to include the following:
Adds subkeys:
HKCU\Software\SpyTrooper
HKLM\Software\Microsoft\Windows\currentversion\uninstall\SpyTrooper
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SpyTrooper "
Adds a SpyTrooper shortcut on your desktop, and on under <start menu> > All Programs > SpyTrooper
Zinaps7
Drops the following files under %AppData%\ \Zinaps7 :
Changes the registry to include the following:
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Zinaps7 "
Adds these shortcut files under <start menu> > All Programs > Zinaps7 :
Uninstall Zinaps Anti-Spyware 7.lnk
Zinaps Anti-Spyware 7.lnk
Zinaps2008
Drops the following files under %AppData%\ \Zinaps2008 :
Changes the registry to include the following:
Adds entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Zinaps2008 "
Adds these shortcut files under <start menu> > All Programs > Zinaps2008 :
Uninstall Zinaps Anti-Spyware 2008.lnk
Zinaps Anti-Spyware 2008.lnk
Analysis by Aaron Hulett
Prevention
Symptoms
System changes
The following system changes may indicate the presence of this malware:
The presence of a program with any of these names:
BraveSentry
DiaRemover
MalwareAlarm
Mr. Antispy
PestTrap
PestWiper
SpyDemolisher
SpyMarshal
SpyShredder
SpyTrooper
Zinaps2008
Zinaps7
Debug Version = 1.0.0.0;