Home / malware Rogue:W32/SpyGuard
First posted on 19 October 2009.
Source: SecurityHomeAliases :
Rogue:W32/SpyGuard is also known as Trojan:Win32/FakeSpyGuard (Microsoft).
Explanation :
Dishonest antivirus or antispyware software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.
Additional DetailsRogue:W32/Spyguard is a typical rogueware family. Member of this family pose as a legitimate antivirus or antispyware application, usually by copying the name and/or looks of a legitimate application.
Variants in the Spyguard family are also detected with the Generic Detection, Rogue:w32/Spyguard.gen!A.
Activity
Once installed, this program scans the computer system. It then displays fake alert messages indicating the system has been compromised. To fully use the product and/or to enable its disinfection functionality, the user is required to purchase a license.
A message notifying the user of the 'infections' will also frequently pop up from the System Tray.
Installation
A typical installation from this rogueware family installs component files in:
  • %Program Files% [Name of Application]
Where [Name of Application] is the name of the legitimate program that the rogueware is pretending to be, for example, Spyware Guard or System Guard.
At the same time, the following files are installed in %WinDir%:
  • reged.exe   • spoolsystem.exe   • sys.com   • syscert.exe   • sysexplorer.exe   • vmreg.dll
These files are usually backups of clean system files. A file named winscenter.exe is also saved in the %System% folder.
Malicious components are then installed in :
  • %allusers%Application DataMicrosoftInternet ExplorerDlls
Registry
A typical installation from this rogueware family will add the following registry key:
  • HKEY_LOCAL_MACHINESoftwareSpyware GuardLast update 19 October 2009
