I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?

For those who haven't seen it, it's a tricky friggin program
apparently. It somehow gets installed, and then pops up telling you
it's detected all sorts of malware and offers to clean it up, but then
stonewalls the (typical) user from doing anything else with their
computer until they register the software and pony up their money.

As in:
http://elamb.blogharbor.com/hacked/removespysheriff.htm

Helpful in cleanup:
http://www.bullguard.com/forum/12/Sp...elp_25398.html


Best Regards,
--
Todd H.
http://www.toddh.net/

"Todd H." <comphelp@toddh.net> wrote in message
news:847j9j17qe.fsf@ripco.com...
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?


Your friend could run System Restore and look at the checkpoints saved
therein. If it triggered due to an install, it lists what triggered it. He
might see whatever he installed for awhile back. Your friend should also
get accustomed to saving a checkpoint before performing an install and
noting why he created the checkpoint. Your friend probably got it from
something else he installed; i.e., it was bundled in something else. Your
friend should also reconfigure their browser to prompt for ActiveX downloads
so he/she knows when some site is trying to pushing one onto their computer.
AX is another method of delivery for this rogueware.

--
__________________________________________________ _____
** Post replies to the newsgroup. Share with others. **
For e-mail, remove "NIX" and append "#VC811" to Subject.
__________________________________________________ _____

some people get it from going to porn sites and looking at the free stuff
"Todd H." <comphelp@toddh.net> wrote in message
news:847j9j17qe.fsf@ripco.com...
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Sp...elp_25398.html
>
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/
>

comphelp@toddh.net AKA Todd H. on 1/2/2006 in
<847j9j17qe.fsf@ripco.com> after much thought,came up with this jewel:

>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Sp...ase-help_25398
> .html
>
>
> Best Regards,
******************Reply Separator*************************
You did not mention any real-time scanning, anti-spyware programs that
your friend uses.
I have written some pages to help you.

Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forum...this_logs.html

max
--
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

I appreciate the responses thus far, and the posters who've taken the
time to make them. If possible though, I'd like to refocus the
question:

What are examples of specific web sites with specific exploits in
place that endeavor to install Spy Sheriff?

I'm trying to figure out which unpatched application is the
vulnerability by which this nasty manages to installed by a user of
the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
platform.

In short, has anyone out there done a full malware analysis of the
Spyware Sheriff installer, and where it's found out there in the wild.

I realize this may be a tall order, but this particular bit of a
spyware is particularly intriguing to me because it's so pernicious.


Best Regards,
--
Todd H.
http://www.toddh.net/

comphelp@toddh.net (Todd H.) wrote:

|>
|>I appreciate the responses thus far, and the posters who've taken the
|>time to make them. If possible though, I'd like to refocus the
|>question:
|>
|> What are examples of specific web sites with specific exploits in
|> place that endeavor to install Spy Sheriff?

Anything download'd (link'd) from this site http://www.astalavista.us/
will come with in a Zip file a file called START.EXE which is whatever
the flavor of the month is.

I want'd to test for this post; I link'd to a site from there:
http://www.XXXXXXandr.net/sn/?l=n&pn=8
This tries the WMF exploit (remove X's to test)

Other links hit me with worms, virus's and other malware, I got so
tired of dodging attacks I never did download a zip file.

|>I'm trying to figure out which unpatched application is the
|>vulnerability by which this nasty manages to installed by a user of
|>the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
|>platform.
|>
|>In short, has anyone out there done a full malware analysis of the
|>Spyware Sheriff installer, and where it's found out there in the wild.
|>
|>I realize this may be a tall order, but this particular bit of a
|>spyware is particularly intriguing to me because it's so pernicious.
|>
|>
|>Best Regards,


--
http://media.putfile.com/PurePwnage-WoWisafeeling

Todd H. wrote:

>
> "Where/how are people getting this?"
>



Neither adware nor spyware, collectively known as scumware,
magically install themselves on anyone's computer. They are almost
always deliberately installed by the computer's user, as part of some
allegedly "free" service or product.

While there are some unscrupulous malware distributors out there,
who do attempt to install and exploit malware without consent, the
majority of them simply rely upon the intellectual laziness and
gullibility of the average consumer, counting on them to quickly click
past the EULA in his/her haste to get the latest in "free" cutesy
cursors, screensavers, "utilities," and/or wallpapers.

If you were to read the EULAs that accompany, and to which the
computer user must agree before the download/installation of the
"screensaver" continues, most adware and spyware, you'll find that
they _do_ have the consumer's permission to do exactly what they're
doing. In the overwhelming majority of cases, computer users have no
one to blame but themselves.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

What about the latest Wmf exposure with IE ? - If I understand it
correctly, it requires only the visiting of an infected web site.
Here's an interesting FAQ on it:
http://isc.sans.org/diary.php?rss&storyid=994


"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:O7qUOk6DGHA.516@TK2MSFTNGP15.phx.gbl...
> Todd H. wrote:
>
>>
>> "Where/how are people getting this?"
>>
>
>
>
> Neither adware nor spyware, collectively known as scumware,
> magically install themselves on anyone's computer. They are almost
> always deliberately installed by the computer's user, as part of some
> allegedly "free" service or product.
>
> While there are some unscrupulous malware distributors out there,
> who do attempt to install and exploit malware without consent, the
> majority of them simply rely upon the intellectual laziness and
> gullibility of the average consumer, counting on them to quickly click
> past the EULA in his/her haste to get the latest in "free" cutesy
> cursors, screensavers, "utilities," and/or wallpapers.
>
> If you were to read the EULAs that accompany, and to which the
> computer user must agree before the download/installation of the
> "screensaver" continues, most adware and spyware, you'll find that
> they _do_ have the consumer's permission to do exactly what they're
> doing. In the overwhelming majority of cases, computer users have no
> one to blame but themselves.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH

R. McCarty wrote:
> What about the latest Wmf exposure with IE ? - If I understand it
> correctly, it requires only the visiting of an infected web site.
> Here's an interesting FAQ on it:
> http://isc.sans.org/diary.php?rss&storyid=994
>
>

I never claimed that the danger didn't exist, only that it was a
relatively rare, compared to the malware distributors who rely upon the
uninformed or lazy consumer.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

I wasn't taking exception to your analysis - just that these jackasses
are always looking for new ways to get a toe hold on a computer.
Build the wall higher and they dig under it. Make it thicker and they
use a software trampoline to jump over. I agree that most Malware
gets on from bad browsing or download habits. The best Security
software in the world can't stop the "This is dangerous !" and they
go right ahead and Click into - Poker, Porno and "Freebies". Trying
to keep a PC "Safe-&-Secure" takes as much time as you spend
actually using the thing. You can teach a PC, unfortunately the user
is quite as quick a learner.

"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:eLkOH16DGHA.2292@tk2msftngp13.phx.gbl...
> R. McCarty wrote:
>> What about the latest Wmf exposure with IE ? - If I understand it
>> correctly, it requires only the visiting of an infected web site.
>> Here's an interesting FAQ on it:
>> http://isc.sans.org/diary.php?rss&storyid=994
>>
>>
>
> I never claimed that the danger didn't exist, only that it was a
> relatively rare, compared to the malware distributors who rely upon the
> uninformed or lazy consumer.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH