high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 20 June 2005 06:21:45 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Warspy-D is a downloader Trojan that attempts to contact a number of websites and display a number of fake warning messages.
Troj/Warspy-D will drop the following files:
<System>\guninst.exe
<System>\param32.dll - Troj/Warspy-H (at the time of writing)
<System>\searchdll.dll
Troj/Warspy-D will attempt to download executable files to the following locations:
<Windows>\sigldr.exe
<Windows>\48.exe - Dial/Conc-A (at the time of writing)
<Windows>\59.exe
Troj/Warspy-D may also attempt to download and run further executables.
The following registry entry will be set to run param32.dll automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\SharedTaskScheduler
{D56A1203-1452-EBA1-7294-EE3377770000}
Interlinking Memory Support
Troj/Warspy-D will alter the Start page of Internet Explorer by modifying the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
<URL>
Troj/Warspy-D will display a number of fake warning messages with window titles including the following:
Attention! Desctop and homepage are authorized!
Desctop icons and homepage have passed Windows autorization
Error #317 - Microsoft Windows Security Warning
Warning! Virus Detected!
Warning! Unknown popups detected!
Warning! Spyware on your system!
Warning! Network is under attack!
and window text including the following:
Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect your system.
Private info is accessed by ports:
-8080
-3128
You can patch your PC for free now and delete all spyware viruses.
Click OK to choose and download free spyware removal using AntiSPY.
with the following description/certificate:
[One-day promotional offer on the best goods for random user
Use desctop icons to get the best deals on things you need!]
Windows analysis shows that your system is in danger!
Popups leading to [unknown address] are opening on your PC.
Click here to choose and download authorized popup blocker
Your system is attacked by stealth.Hjack virus!
Your Windows probably will not boot next time
Click here to choose and download authorized antivirus
Windows analysis shows that your private infomation
is accessed by uknown server. Patch your PC immediately!
Click here to use special authorized list to remove spyware
Protect your home or office network immediately!
It's under attack from your PC. Stop this dangerous trojan
Choose and download special software for network security.
Troj/Warspy-D will drop internet shortcuts to the Desktop with the following names:
Air Tickets
Big Tits
BlackJack
Britney Spears
Car Insurance
Cigarettes
Credit Card
Cruises
Forex Trading
Lesbian Sex
Online Betting
Online Casino
Oral Sex
Party Poker
Pharmacy
Phentermine
Pornstars
Remove Spyware
Viagra
Additional registry entries are created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Connection Update and HomeP KB234087\
HKCR\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\
HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\
HKCR\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\
HKCR\Serch_hook.transURL\
HKCR\Serch_hook.transURL.1\
HKCR\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\
|
