Spyware Detail

Summary

PSGuard uses a rootkit to protect the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD and child keys and values. It does this by exploiting a difference between the Win32 API and the Native API.

SysInternals, the experts in rootkits, give an explanation and sample source, see: http://www.sysinternals.com/information/tipsandtrivia.html. Read the section about hidden Registry keys.

Here is some of the text from that page:

Hidden Registry Keys?

A subtle but significant difference between the Win32 API and the Native API (see Inside the Native API for more information on this largely undocumented interface) is the way that names are described. In the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API.

How is this possible? The answer is that a name which is a counted Unicode string can explicitly include NULL characters (0) as part of the name. For example, "Key\0". To include the NULL at the end the length of the Unicode string is specified as 4. There is absolutely no way to specify this name using the Win32 API since if "Key\0" is passed as a name, the API will determine that the name is "Key" (3 characters in length) because the "\0" indicates the end of the name. PSGuard is closely related to AlphaCleaner which purports to be an anti-virus/anti-spyware program intended to help users clean and block trojans and viruses. In reality, during testing, it force installed over 250 files and hijacked the systems desktop to scare the user into thinking the system was infected with spyware. In addition, it opened alert boxes, mimicking those used by Microsoft to inform users about security problems with their system. The desktop had a hyperlink to 'top anti-virus programs'. The page was supposedly an analysis of the best products. When the binaries were inspected, it appeared all the programs were written by the same group. Related products include SpyAxe, SpyFalcon, XSRemover, SpyContra, 1stAntiVirus, WorldAntiSpy and others.

Category

Trojan:  Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

View Full Details