PGPCoder: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:35, 24 September 2005 edit Rich Farmbrough (talk \| contribs) Edit filter managers, Autopatrolled, Extended confirmed users, File movers, IP block exemptions, Pending changes reviewers, Rollbackers, Template editors 1,734,035 edits m Wikify dates. ← Previous edit		Latest revision as of 23:20, 14 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m →Efforts to combat the trojan: HTTP to HTTPS for Blogspot Tag: AWB
(46 intermediate revisions by 27 users not shown)
Line 1: {{Infobox computer virus ~~'''A Trojan digitally encrypts files and asks for a ransom'''~~ \|Common name=Gpcode ~~- Virus Alerts, by Panda Software (http://www.pandasoftware.com)~~ \|Technical name= * Trojan.PGPCoder, * Virus.Win32.Gpcode, * TROJ_PGPCODER.[letter] ([[Trend Micro]]) \|Classification=[[Trojan horse (computing)\|Trojan]] \|Fullname=Trojan.PGPCoder \|IsolationDate=2005-05-20 }} '''PGPCoder''' or '''GPCode''' is a [[trojan horse (computing)\|trojan]] that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed [[ransomware (malware)\|ransomware]] or [[cryptovirology]]. == Trojan == MADRID, [[May 25]] [[2005]] - PandaLabs has recently reported the appearance of a type of malware that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert. ~~The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself.~~ Once installed on a computer, itthe trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the ~~Trojan~~trojan in the infected computer, counting the number of files that have been analyzed by the malicious code. ▼ Once it has been run, the ~~Trojan~~trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include ~~DOC~~.doc, ~~(Microsoft Word documents)~~.html, ~~HTML (web pages)~~.jpg, ~~JPG (images)~~.xls, ~~XLS (Microsoft Excel spreadsheets)~~.zip, ~~ZIP~~ and ~~RAR (two common compressed file formats)~~. rar.▼ ▲The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself. Once installed on a computer, it creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code. The blackmail is completed with the ~~Trojan~~trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $~~200~~100–200 to an [[e-gold]] or [[Liberty Reserve]] account.<ref>{{cite web\|url=http://rump2008.cr.yp.to/6b53f0dad2c752ac2fd7cb80e8714a90.pdf\|format=PDF\|title=Cryptanalysis of the Gpcode.ak ransomware virus\|author=Eran Tromer\|author-link=Eran Tromer\|accessdate=2008-09-30}}</ref>▼ ▲Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats). == Efforts to combat the trojan == ▲The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200. While a few Gpcode variants have been successfully implemented,<ref>{{cite web\|url=http://www.kaspersky.com/news?id=207575651\|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus\|date=2008-06-09}}</ref> many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web\|url=http://www.viruslist.com/en/analysis?pubid=189678219\|title=Blackmailer: the story of Gpcode\|date=2006-07-26\|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file, and this allows an [[undeletion\|undeletion utility]] to recover some of the files. Once some [[known-plaintext attack\|encrypted+unencrypted pairs]] have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web\|url=http://support.kaspersky.com/faq/?qid=208279822\|title=Utilities which fight Virus.Win32.Gpcode.ak\|date=2008-06-25\|publisher=Kaspersky Lab}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187531\|title=Restoring files attacked by Gpcode.ak\|publisher=Kaspersky Labs\|date=2008-06-13\|access-date=2008-09-30\|archive-url=https://web.archive.org/web/20090713204125/http://www.viruslist.com/en/weblog?weblogid=208187531\|archive-date=2009-07-13\|url-status=dead}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187538\|archive-url=https://archive.today/20130209010757/http://www.viruslist.com/en/weblog?weblogid=208187538\|url-status=dead\|archive-date=2013-02-09\|title=Another way of restoring files after a Gpcode attack\|date=2008-06-26}}</ref> Variant Gpcode.am uses [[symmetric-key algorithm\|symmetric encryption]], which made key recovery very easy.<ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187565\|archive-url=https://archive.today/20120918142720/http://www.viruslist.com/en/weblog?weblogid=208187565\|url-status=dead\|archive-date=2012-09-18\|title=New Gpcode - mostly hot air\|date=2008-08-14\|publisher=Kaspersky Labs}}</ref> In late November 2010, a new version called Gpcode.ax<ref>{{cite web\|url=https://xylibox.blogspot.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\|title=GpCode Ransomware 2010 Simple Analysis\|publisher=Xylibox\|date=2011-01-30}}</ref> was reported. It uses stronger encryption (RSA-1024 and AES-256) and physically overwrites the encrypted file, making recovery nearly impossible.<ref>{{cite web\|url=http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back\|title=GpCode-like Ransomware Is Back\|date=2010-11-29\|publisher=Kaspersky Labs}}</ref> [[Kaspersky Lab]] has been able to make contact with the author of the program, and verify that the individual is the real author, but have so far been unable to determine his real world identity.<ref>{{cite web\|url=http://www.techworld.com/news/security/police-find-author-of-notorious-virus-105043/\|title=Police 'find' author of notorious virus\|date=2008-09-30\|publisher=TechWorld}}</ref> To prevent infection from Trj.PGPCoder.A or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date. Panda Software has already made the corresponding updates to detect and eliminate this new malicious worm available to clients. == References == Panda Software's clients can already access the updates for installing the new TruPrevent™ Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent™ Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. {{reflist}} == External links == In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com. ActiveScan is also available to webmasters that want to include it on their websites. Those who would like to include it on their sites can request the HTML code from http://www.pandasoftware.com/partners/webmasters/ * Kaspersky Lab [http://www.kaspersky.com/find?words=gpcode&search=Search Kaspersky Lab blog posts] [https://web.archive.org/web/20080918001754/http://forum.kaspersky.com/index.php?showforum=91 Kaspersky Lab forum dedicated to GPCode] [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky Lab virus descriptions] [https://web.archive.org/web/20081003174725/http://downloads1.kaspersky-labs.com/utils/stopgpcode/ StopGPCode trojan removal utilities] * Other virus description databases [http://www.f-secure.com/v-descs/gpcode.shtml F-Secure] [https://web.archive.org/web/20061213000916/http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99 Symantec] McAfee: [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=133901 GPCoder] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139824 GPCoder.e] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139907 GPCoder.f] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139906 GPCoder.g] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142712 GPCoder.h] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=145334 GPCoder.i] Trend Micro: [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.A TROJ_PGPCODER.A] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.B TROJ_PGPCODER.B] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.C TROJ_PGPCODER.C] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.D TROJ_PGPCODER.D] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.E TROJ_PGPCODER.E] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.F TROJ_PGPCODER.F] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.G TROJ_PGPCODER.G] ** [http://www.threatexpert.com/report.aspx?md5=7CD8E2FC5FE2DC351F24417CC1D23AFA ThreatExpert] {{Hacking in the 2000s}} Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form. [[Category:Windows trojans]] ~~For further information about the malicious code mentioned above, visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/~~ [[Category:Ransomware]] ~~----~~ ~~credits: http://forums.maddoktor2.com/index.php?s=49f622ff62e8bd1a3612d45d35f78708&showtopic=4532&st=0&#entry26348~~