Troj/Warspy-G is a downloader Trojan that attempts to contact a number of website and display a number of fake warning messages.
Troj/Warspy-G may set the following registry entries:
HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32\
(default)
<path to Trojan>
HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32\
ThreadingModel
Apartment
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{D56A1203-1452-EBA1-7294-EE3377770000}
Interlinking Memory Support
Troj/Warspy-G may also set the following registry entry in order to change the user's startpage settings:
HKCU\Software\Microsoft\Internet Explorer\Main
StartPage
Troj/Warspy-G may attempt to display a number of fake warning messages with window titles including the following:
Error #317 - Microsoft Windows Security Warning
Attention! Desctop and homepage are authorized!
Warning! Unknown popups detected!
Warning! Virus Detected!
Warning! Spyware on your system!
Warning! Network is under attack!
and window texts including the following:
Your Windows is corrupted with spyware virus.
You must your PC urgently to protect your system.
Private info is accessed by ports:
-8080
-3128
You can patch your PC for free now and delete all spyware viruses.
Click OK to choose and download free spyware removal using AntiSPY.
Desctop icons and homepage have passed Windows autorization
with the following description/certificate:
[One-day promotional offer on the best goods for random user
User desctop icons to get the best deals on things you need!]
Windows analysis shows that your system is in danger!
Popups leading to [unknown address] are opening on you PC.
Clcick here to choose and download authorized popup blocker
Your system is attacked by stealth.Hjack virus!
Your Windows probably will not boot next time
Click here to choose and download authorized antivirus
Windows analysis shows that your private information
is accessed by uknown server. Patch your PC immediately!
Click here to use special authorized list to remove spyware
Protect your home or office network immediately!
It's under attack from your PC. Stop this dangerous trojan
Choose and download special software for network security.
Troj/Warspy-G may attempt to drop internet shortcuts on to the Desktop pointing to scripts at http://www.newgenlook.info, http://antispy.newgenlook.info, http://pharmacy.newgenlook.info, http://pharma.newgenlook.info and http://adult.newgenlook.info with the following names:
Air Tickets
Online Betting
BlackJack
Car Insurance
Cruises
Remove Spyware
Cigaretter
Phentermine
Online Casino
Viagra
MP3
Party Poker
Credit Card
Pharmacy
Forex Trading
Britney Spears
Big Tits
Pornstars
Lesbian Sex
Oral Sex
Troj/Warspy-G may attempt to contact a number of scripts at the following remote websites:
http://antispy.newgenlook.info
http://www.newgenlook.info
Troj/Warspy-G may attempt to download a file from http://674.dapfeed.com to 48.EXE in the root folder and execute it. This file is currently detected as Dial/Conc-A.