Trj.PGPCoder.A
From Wikipedia, the free encyclopedia
 |
This article is orphaned as few or no other articles link to it. Please help introduce links in articles on related topics. (November 2006) |
 |
This article may require cleanup to meet Wikipedia's quality standards. Please improve this article if you can. (June 2008) |
PGPCoder is a Trojan that encrypts files on the infected computer and then asks for a fee in order to release these files. It has also been called GPcode. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert.
Once installed on a computer, the Trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.
Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats).
GPcode uses the ADD instruction on the plaintext with an 8-bit encryption key. The starting value of the encryption key is 0x3a and it is changed using the fixed values 0x25 and 0x5c after the encipherment of each subsequent byte of plaintext.
The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.
Since the decryption key can be trivially derived from the Trojan antivirus companies have been able to develop a complete "cure" for the data modifications that this Trojan makes.[citation needed] It follows that PGPcoder is not a true cryptotrojan.[citation needed] A cryptovirus, cryptotrojan, or cryptoworm contains and uses the public key of the attacker. In cryptoviral extortion, the malware hybrid encrypts the victim's data using the attacker's public key. Analysis of the malware does not reveal the needed private decryption key. So, when there are no backups then victims have no recourse but to pay the extortionist or lose the data. This attack is one of many in the field known as Cryptovirology. Victims of PGPcoder are lucky that it is not a true cryptotrojan and therefore does not carry out cryptoviral extortion.[citation needed]
credits 2: http://www.f-secure.com/v-descs/gpcode.shtml
