Content deleted Content added
Underpants (talk | contribs) expand; remove {{orphan}} since there are two backlinks now; remove {{cleanup}} since the individual {{fact}}s are sufficient and more specific |
Underpants (talk | contribs) rewrite paragraph about recovery methods, this time with cites |
||
Line 4:
|Classification=[[Trojan horse (computing)|Trojan]]
|Fullname=Trojan.PGPCoder
|IsolationDate=2005-05-20
}}
'''PGPCoder''', also known as '''GPCode''', is a [[trojan horse (computing)|trojan]] that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, dubbed [[ransomware (malware)|ransomware]] or [[cryptovirology]].
Once installed on a computer, the trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.
Line 15 ⟶ 16:
The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.
While a few Gpcode variants have been successfully implemented<ref>{{cite web|url=http://www.kaspersky.com/news?id=207575651|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus|date=2008-06-09}}</ref>, many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web|url=http://www.viruslist.com/en/analysis?pubid=189678219|title=Blackmailer: the story of Gpcode|date=2006-07-26|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file. This allows an [[undeletion|undeletion utility]] to recover some of the files.<ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187531|title=Restoring files attacked by Gpcode.ak|publisher=Kaspersky Labs|date=2008-06-13}}</ref> Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187538|title=Another way of restoring files after a Gpcode attack|date=2008-06-26}}</ref> Variant Gpcode.am uses symmetric encryption, and so makes decryption easy.<ref>{{cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187565|title=New Gpcode - mostly hot air|date=2008-08-14|publisher=publisher=Kaspersky Labs}}</ref>
==References==
{{reflist}}
==External links==
* [http://
* [http://people.csail.mit.edu/tromer/gpcode/ Gpcode.ak Cryptographic Challenge]
* Virus description databases
** [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky Labs]
** [http://www.f-secure.com/v-descs/gpcode.shtml F-Secure]
** [http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99 Symantec]
Line 26 ⟶ 31:
** Trend Micro: [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.A TROJ_PGPCODER.A] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.B TROJ_PGPCODER.B] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.C TROJ_PGPCODER.C] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.D TROJ_PGPCODER.D] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.E TROJ_PGPCODER.E] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.F TROJ_PGPCODER.F] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.G TROJ_PGPCODER.G]
** [http://www.threatexpert.com/report.aspx?md5=7CD8E2FC5FE2DC351F24417CC1D23AFA ThreatExpert]
[[Category:Trojan horses]]
| |||