A new rogue anti-spyware program has been released called SunshineSpy. Typically, when a rogue is released it is bundled with malware that does the dirty job of changing your desktop to a fake infection warning, showing fake security alerts, installing rootkits to hide it, and changing other system settings. Bold, brazen, and selfish SunShinySpy, on the other hand, decided to just forget about all the other malware and do it all itself.
Once you run the software, SunShineSpy will start listing programs on your computer that are infected. The catch is that these programs are actually legitimate files. For example, the highlighted file above, C:\Windows\System32\blackbox.dll
is a file associated with Microsoft's Digital Rights Management system.
A perfectly legitimate file found in Windows.
SunShineSpy also utilizes a rootkit to hide the program's process. When the Sunshine.exe
program is launched it will load a rootkit driver called C:\Program Files\SunshineSpy\sunio.sys
. This rootkit will hide the Sunshine process so that it cannot be seen from the Windows Task Manager, or other process enumerators, yet the actual file can still be seen.
Furthermore, once you let the program run for a while, sunshinespy.exe will change your desktop to one of the following HTML pages.
The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE
. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there.
In Sophos' write up
they state that this program will also cripple your computer by not allowing you to run any other programs. In our testing we did not see this happening and could easily uninstall it via the Add or Remove Programs control panel and a reboot.
This is definitely one of the more bizarre rogue anti-spyware programs we have researched in a while, but still one to stay away from.
Authors Update 11/6/07: It appears that the program now does not automatically uninstall on reboot, but instead launches the SunShineSpy program. It does, though, appear to be using a rootkit. Uninstalling the program from Add or Remove Programs, will stop the program from starting up, but you will still need to manually fix your desktop, delete the files, and the service. For help with this, I would advise asking in our forums. - Thanks Leurgy for the prompt retest.