Method of Infection
Win32/Warspy variants usually consist of many components, including a dropper and a number of DLLs. When the dropper component is executed, it drops the following two DLLs into the "%Windows%\System32" directory and then registers them:
- param32.dll -used to perform the trojans main functionality
- searchdll.dll - a potentially unwanted Internet Explorer SearchBar
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The trojan also registers these DLLs as "in-process" COM servers, setting the following registry entries:
HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32 = "%Windows%\System32\param32.dll"
HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32\ThreadingModel = "Apartment"
HKCR\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\InprocServer32 = "%Windows%\System32\searchdll.dll"
HKCR\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\InprocServer32\ThreadingModel = "Apartment"
In order to load param32.dll when Explorer starts, it creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{D56A1203-1452-EBA1-7294-EE3377770000} = "Interlinking Memory Support"
It registers searchdll.dll as a URL Search Hook object by creating the following empty registry value:
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} = (empty)
URL Search hooks are used by Internet Explorer to translate the address of an unknown URL protocol.
Some variants may also drop a potentially unwanted DLL called "popup_bl.dll" into the same directory. The trojan installs this DLL as a Browser Helper Object (BHO) by making the following registry modifications:
HKCR\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}\InprocServer32 = "%Windows%\System32\popup_bl.dll"
HKCR\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}\InprocServer32\ThreadingModel = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}
It also drops an executable file used to uninstall the trojan. Warspy variants have dropped this file using the following names:
Warspy then adds this uninstaller to the Add/Remove Programs dialogue as "Internet Connection Update and HomeP KB234087" by modifying the following registry values:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Connection Update and HomeP KB234087\DisplayName = Internet Connection Update and HomeP KB234087
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Connection Update and HomeP KB234087\UninstallString = "<path to uninstaller>"
If this uninstaller is executed, it unregisters the DLL "searchdll.dll" and creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UninstallHP
The DLL "param32.dll" checks for this registry entry and removes itself from the system on the next Windows boot if this entry exists.
Warspy also creates a number of Internet shortcuts on the Desktop. Clicking these shortcuts redirects the user to a advertising-related site on a specific domain. Shortcuts created by Warspy variants reported to CA have used the following names:
Air Tickets
Big Tits
BlackJack
Britney Spears
Car Insurance
Cigarettes
Credit Card
Cruises
Forex Trading
Lesbian Sex
MP3
Master-X
Online Betting
Online Casino
Oral Sex
Padonki
Party Poker
Pharmacy
Phentermine
Pornstars
Remove Spyware
Udaff
Viagra
The trojan drops the icons for these shortcuts in the "%Windows%\System32" directory.
Warspy also inserts an icon in the system tray at random times that displays a dialogue containing a number of warning messages. If the user interacts with this dialogue, a page on a specific domain (for example, newgenlook.info) is displayed with the user's default browser. The message displayed is randomly chosen from the following:
Warning! Network is under attack!
Protect your home or office network immediately!
It's under attack from your PC. Stop this dangerous trojan
Choose and download special software for network security.
Warning! Spyware on your system!
Windows analysis shows that your private infomation
is accessed by uknown server. Patch your PC immediately!
Click here to use special authorized list to remove spyware
Warning! Virus Detected!
Your system is attacked by stealth.Hjack virus!
Your Windows probably will not boot next time
Click here to choose and download authorized antivirus
Warning! Unknown popups detected!
Windows analysis shows that your system is in danger!
Popups leading to [unknown address] are opening on your PC.
Click here to choose and download authorized popup blocker
Attention! Desctop and homepage are authorized!
Desctop icons and homepage have passed Windows autorization
with the following description/certificate:
[One-day promotional offer on the best goods for random user
Use desctop icons to get the best deals on things you need!]
title5 sfdsf
message5 sdfsdf
title4 sdfsdf
message4sdfdsf
title3 sdfsdf
message3 sdfdsf
title2 sdfsdf
dsfdsf
title1 111
message1 1111
Below is an example of a message displayed by the trojan:
Warspy also displays the following message box at random times, warning users that their system is infected with spyware:
Clicking "OK" causes the default browser to be executed, displaying an advertising-related page on a specific domain.
Back to top