The notification message displayed by Cryxos trojans varies by language. Some variants will also open a web page in the browser displaying what appears to be a legitimate vendor's website to further enhance the impression that the message is authentic. Other variants will display an image of a screenshot of a web page:
Cryxos trojan message in English.
Cryxos trojan message in French. The webpage behind the message is actually an image of a webpage
Some Cryxos variants will also play an audio recording repeating the information displayed in the notification message and giving the phone number that the user is supposed to contact for 'further assistance'.
In addition to displaying the message, some Cryxos variants will display the user's IP address, open multiple web browser pages, or perform other actions designed to cause alarm.
These trojans are essentially part of a 'call support' or 'tech support' scam; they are designed to trick the user into believing their device is infected. If the user does contact the number displayed, they are then typically pressured into paying for the 'assistance'.
In some cases, the user may be asked to give the technician remote access to the machine, potentially leading to a device hijack and compromise of any information stored on the device.
For more information about such scams, see: