Revision as of 05:47, 11 June 2008 edit 84user (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers 9,781 edits m space ← Previous edit		Revision as of 16:03, 30 September 2008 edit undo Underpants (talk \| contribs) 1,235 edits expand; remove {{orphan}} since there are two backlinks now; remove {{cleanup}} since the individual {{fact}}s are sufficient and more specific Next edit →
Line 1: {{computer virus ~~{{Orphan\|date=November 2006}}~~ \|Common name=Gpcode ~~{{cleanup\|date=June 2008}}<!-- claims need precise cites -->~~ \|Technical name=Trojan.PGPCoder, Virus.Win32.Gpcode PGPCoder is a Trojan that encrypts files on the infected computer and then asks for a fee in order to release these files. It has also been called GPcode. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert. ▼ \|Classification=[[Trojan horse (computing)\|Trojan]] \|Fullname=Trojan.PGPCoder }} ▲'''PGPCoder''', also known as '''GPCode''', is a ~~Trojan~~[[trojan horse (computing)\|trojan]] that encrypts files on the infected computer and then asks for a fee in order to release these files~~. It has also been called GPcode~~. This is a new type of behavior, rarely seen until now, ~~and~~dubbed to[[ransomware ~~which the FBI in the United States are now alert~~(malware)\|ransomware]]. Once installed on a computer, the ~~Trojan~~trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the ~~Trojan~~trojan in the infected computer, counting the number of files that have been analyzed by the malicious code. Once it has been run, the ~~Trojan~~trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats). GPcode uses the ADD instruction on the plaintext with an 8-bit encryption key. The starting value of the encryption key is 0x3a and it is changed using the fixed values 0x25 and 0x5c after the encipherment of each subsequent byte of plaintext. ~~The starting value of the encryption key is 0x3a and it is changed using the~~ ~~fixed values 0x25 and 0x5c after the encipherment of each subsequent byte of~~ ~~plaintext.~~ The blackmail is completed with the ~~Trojan~~trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200. Since the decryption key can be trivially derived from the trojan antivirus companies have been able to develop a complete "cure" for the data modifications that this trojan makes.{{Fact\|date=June 2008}}<!-- not present in sources credited below --> It follows that PGPcoder is not a true cryptotrojan.{{Fact\|date=June 2008}}<!-- conclusion not present in sources credited below --> A cryptovirus, cryptotrojan, or cryptoworm contains and uses the public key of the attacker. In cryptoviral extortion, the malware hybrid encrypts the victim's data using the attacker's public key. Analysis of the malware does not reveal the needed private decryption key. So, when there are no backups then victims have no recourse but to pay the extortionist or lose the data. This attack is one of many in the field known as [[cryptovirology]]. Victims of PGPcoder are lucky that it is not a true cryptotrojan and therefore does not carry out cryptoviral extortion.{{Fact\|date=June 2008}}<!-- commentary not present in sources credited below --> ~~Since the decryption key can be trivially derived from the Trojan~~ ~~antivirus companies have been able to develop a complete "cure" for the~~ ~~data modifications that this Trojan makes.{{Fact\|date=June 2008}}<!-- not present in sources credited below --> It follows that PGPcoder is not a true~~ ~~cryptotrojan.{{Fact\|date=June 2008}}<!-- conclusion not present in sources credited below --> A cryptovirus, cryptotrojan, or cryptoworm contains and uses the~~ ~~public key of the attacker. In cryptoviral extortion, the malware hybrid encrypts~~ ~~the victim's data using the attacker's public key. Analysis of the malware does not~~ ~~reveal the needed private decryption key. So, when there are no backups then victims~~ ~~have no recourse but to pay the extortionist or lose the data. This attack is one of many~~ ~~in the field known as [[Cryptovirology]]. Victims of PGPcoder are lucky that it is~~ ~~not a true cryptotrojan and therefore does not carry out cryptoviral extortion.{{Fact\|date=June 2008}}<!-- commentary not present in sources credited below -->~~ ~~credits 1: http://forums.maddoktor2.com/index.php?s=49f622ff62e8bd1a3612d45d35f78708&showtopic=4532&st=0&#entry26348~~ ~~credits 2: http://www.f-secure.com/v-descs/gpcode.shtml~~ ==External links== * [http://usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000131 Kaspersky Lab Warns of New Variant of Dangerous Blackmailing Virus, Gpcode] * [http://~~www~~people.~~f-secure~~csail.~~com~~mit.edu/~~v-descs~~tromer/gpcode~~.shtml~~/ ~~- Information on~~Gpcode.ak ~~this~~Cryptographic ~~Trojan~~Challenge] * Virus description databases [http://www.~~pandasoftware~~f-secure.com/~~virus_info~~v-descs/~~encyclopedia~~gpcode.shtml F- ~~Information on this Trojan and a Virus Encyclopedia~~Secure] [http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99 Symantec] McAfee: [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=133901 GPCoder] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139824 GPCoder.e] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139907 GPCoder.f] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139906 GPCoder.g] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142712 GPCoder.h] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=145334 GPCoder.i] Trend Micro: [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.A TROJ_PGPCODER.A] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.B TROJ_PGPCODER.B] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.C TROJ_PGPCODER.C] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.D TROJ_PGPCODER.D] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.E TROJ_PGPCODER.E] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.F TROJ_PGPCODER.F] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.G TROJ_PGPCODER.G] [http://www.threatexpert.com/report.aspx?md5=7CD8E2FC5FE2DC351F24417CC1D23AFA ThreatExpert] [http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444 Viruslist.com] [[Category:Trojan horses]]

PGPCoder: Difference between revisions