A new rogue anti-spyware program has been released called SunshineSpy. Typically, when a rogue is released it is bundled with malware that does the dirty job of changing your desktop to a fake infection warning, showing fake security alerts, installing rootkits to hide it, and changing other system settings. Bold, brazen, and selfish SunShinySpy, on the other hand, decided to just forget about all the other malware and do it all itself.

Once you run the software, SunShineSpy will start listing programs on your computer that are infected. The catch is that these programs are actually legitimate files. For example, the highlighted file above, C:\Windows\System32\blackbox.dll is a file associated with Microsoft's Digital Rights Management system. A perfectly legitimate file found in Windows.

SunShineSpy also utilizes a rootkit to hide the program's process. When the Sunshine.exe program is launched it will load a rootkit driver called C:\Program Files\SunshineSpy\sunio.sys. This rootkit will hide the Sunshine process so that it cannot be seen from the Windows Task Manager, or other process enumerators, yet the actual file can still be seen.

Furthermore, once you let the program run for a while, sunshinespy.exe will change your desktop to one of the following HTML pages.



The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there.

In Sophos' write up they state that this program will also cripple your computer by not allowing you to run any other programs. In our testing we did not see this happening and could easily uninstall it via the Add or Remove Programs control panel and a reboot.

This is definitely one of the more bizarre rogue anti-spyware programs we have researched in a while, but still one to stay away from.

Authors Update 11/6/07: It appears that the program now does not automatically uninstall on reboot, but instead launches the SunShineSpy program. It does, though, appear to be using a rootkit. Uninstalling the program from Add or Remove Programs, will stop the program from starting up, but you will still need to manually fix your desktop, delete the files, and the service. For help with this, I would advise asking in our forums. - Thanks Leurgy for the prompt retest.

Although Malware is never really funny, for some reason this struck me as being hilarious.

My only response is

Malware is terrible to get,but this is a world most weirdest rogue anti-software ever,I mean,it ask you to un install it,lol

hey im going to feal really dumb for asking this but im new to this and i was woundering if you would send me a message or something to tell me how in the heck i post blogs? because i have a problem i want people to help me with if they can. thank you

LOL

I think that the warning pop-ups that come with these programs just look wrong. I mean, the GUI of all of these programs are good but those pop-up messages are just really out of place and look like they were created with paint, making it easier for the average home user to pick up that it is fake .

Regards,
David.

Hi; if you need help on a problem, maybe start your own thread in http://www.bleepingcomputer.com/forums/forum64.html

and tell us your windows version, your antivirus protection and other protection programs you have on board, what problems you are having with what and we can see how we can help?