Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:17/02/2006
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:29.696 Bytes
MD5 checksum:a5a84ed083f9cb0A46369c044eecab73
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: Downloader-AFH
   •  Kaspersky:
   •  Sophos: Troj/Spywad-AE
   •  Bitdefender: Trojan.FakeAlert.SpySheriff.A

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a file
   • Drops files
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following location:
   • C:\winstall.exe

The following files are created:

– Non malicious files:
   • C:\Program Files\SpySheriff\base.avd; C:\Program
      Files\SpySheriff\base001.avd; C:\Program Files\SpySheriff\base002.avd;
      C:\Program Files\SpySheriff\found.wav; C:\Program
      Files\SpySheriff\heur000.dll; C:\Program Files\SpySheriff\heur001.dll;
      C:\Program Files\SpySheriff\heur002.dll; C:\Program
      Files\SpySheriff\heur003.dll; C:\Program Files\SpySheriff\notfound.wav;
      C:\Program Files\SpySheriff\removed.wav; C:\Program
      Files\SpySheriff\SpySheriff.dvm; C:\Program
      Files\SpySheriff\SpySheriff.exe; C:\Program Files\SpySheriff\Uninstall.exe

It tries to download a file:

– The location is the following:
It is saved on the local hard drive under: %APPDATA%\Install.dat

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows installer"="C:\winstall.exe"
   • "pro" = "%malware execution directory%\%executed file%"

The value of the following registry key is removed:

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • pro

The following registry key including all values and subkeys is removed:
   • [HKCU\SOFTWARE\Install]

The following registry key is added:

   • "Version" = dword:00000000

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Wednesday, March 1, 2006
Description updated by Daniel Constantin on Wednesday, March 1, 2006

Back . . . .