Revision as of 13:35, 24 September 2005 edit Rich Farmbrough (talk \| contribs) Edit filter managers, Autopatrolled, Extended confirmed users, File movers, IP block exemptions, Pending changes reviewers, Rollbackers, Template editors 1,734,008 edits m Wikify dates. ← Previous edit		Revision as of 11:47, 23 March 2006 edit undo 70.17.120.207 (talk) The previous page read like a huge advertisement for pandasoftware and this is -not allowed- on Wikipedia Next edit →
Line 1: ~~'''A Trojan digitally encrypts files and asks for a ransom'''~~ ~~- Virus Alerts, by Panda Software (http://www.pandasoftware.com)~~ ~~MADRID,~~PGPCoder ~~[[May 25]] [[2005]] - PandaLabs has recently reported the appearance of~~is a ~~type of malware~~Trojan that encrypts files on the infected computer and then asks for a fee in order to release these files. It has also been called GPcode. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert. ~~The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself.~~ Once installed on a computer, itthe Trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code. Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats). GPcode uses the ADD instruction on the plaintext with an 8-bit encryption key. The starting value of the encryption key is 0x3a and it is changed using the fixed values 0x25 and 0x5c after the encipherment of each subsequent byte of plaintext. The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200. Since the decryption key can be trivially derived from the Trojan To prevent infection from Trj.PGPCoder.A or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date. Panda Software has already made the corresponding updates to detect and eliminate this new malicious worm available to clients. antivirus companies have been able to develop a complete "cure" for the data modifications that this Trojan makes. It follows that PGPcoder is not a true cryptotrojan. A cryptovirus, cryptotrojan, or cryptoworm contains and uses the public key of the attacker. In cryptoviral extortion, the malware hybrid encrypts the victim's data using the attacker's public key. Analysis of the malware does not reveal the needed private decryption key. So, when there are no backups then victim's have no recourse but to pay the extortionist or lose the data. This attack is one of many in the field known as [[Cryptovirology]]. Victims of PGPcoder are lucky that it is not a true cryptotrojan and therefore does not carry out cryptoviral extortion. credits 1: http://forums.maddoktor2.com/index.php?s=49f622ff62e8bd1a3612d45d35f78708&showtopic=4532&st=0&#entry26348▼ Panda Software's clients can already access the updates for installing the new TruPrevent™ Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent™ Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. credits 2: http://www.f-secure.com/v-descs/gpcode.shtml In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com. ActiveScan is also available to webmasters that want to include it on their websites. Those who would like to include it on their sites can request the HTML code from http://www.pandasoftware.com/partners/webmasters/ Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form. ==External links== ~~For further information about the malicious code mentioned above, visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/~~ * [http://www.f-secure.com/v-descs/gpcode.shtml - Information on this Trojan] ~~----~~ * [http://www.pandasoftware.com/virus_info/encyclopedia - Information on this Trojan and a Virus Encyclopedia] ▲credits: http://forums.maddoktor2.com/index.php?s=49f622ff62e8bd1a3612d45d35f78708&showtopic=4532&st=0&#entry26348

PGPCoder: Difference between revisions