 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 06/26/2005 5:27 AM |
|
| What Is It?
PGPcoder, also known as Trojan.Gpcoder , Virus.Win32.Gpcode.b , TROJ_PGPCODER.A is a proof of concept for extortion by software that came to my attention today. Though all of the anti-virus companies rate the risk level of this worm as Low, which we think is appropriate, we chose to publish a notice about it because it represents a new type of threat. I believe that other, more effective versions will follow soon.
This is the first of its kind, an attempt at extortion by Trojan Horse program that targets all computer users. F-Secure had this to say about it, in an article posted today.
It looks like not only terrorists and kidnappers can take hostages, but Trojans too. A Trojan called Gpcode (also known as PGPCoder) encrypts user's files with certain extensions and then asks for a ransom to "fee" (decrypt) them. This Trojan got some media attention during past 2 weeks. According to media reports the authorities are investigating the case.
Luckily the Trojan had a very simple encryption algorithm, so it was possible to create a decryptor for the encrypted files. F-Secure Anti-Virus can detect and decrypt files encrypted by Gpcode Trojan. If you are hit by this Trojan and your files are encrypted, please scan ALL files on your hard disk and they will be decrypted.
Fortunately, it was implemented as a Trojan Horse program, so it requires overt action to spread, and its encryption algorithm is easily defeated. Consequently, it depends on social engineering to spread, and represents more of a proof of concept than a real threat.
Technical Details
Once installed on a computer, the Trojan encrypts all files with the following extensions.
Pgp
PGP Private Key
Asc
ASCII text
db2
db1
db
Paradox, and probably other data bases
jpg
JPEG image
html
Web page
htm
Web page
dbf
dBase data file
rar
RAR compressed archive
zip
PKZIP compressed archive
rtf
Rich Text Format (Microsoft Word, WordPad, and other word processing programs)
txt
Plain ASCII text
doc
Microsoft Word document
xls
Microsoft Excel spreadsheet
The Trojan also does the following things.
A text file named ATTENTION!!!.txt is placed in any directory that contains files encrypted by the Trojan. The file contains the following text.
Some files are coded.
To buy decoder mail: n {removed} @yahoo.com
with subject: PGPcoder 000000000032
The Trojan creates a couple of Registry keys that are intended to cause the program to run at startup until all files have been found and encrypted.
The Trojan creates an inventory of the files that it has processed, called AUTOSAVE.SIN, in the Windows Temporary folder, usually C:\Windows\TEMP or C:\WinNT\TEMP. However, once it has encrypted all the files it can find, this file is deleted, along with the worm. Therefore, its presence indicates that the attack is still in progress.
What Should I Do?
It has been a while since we published a virus warning. Consider this a gentle reminder to stay vigilant.
If you use any of the anti-virus products listed in the references below, keep your virus engine and signatures current, and avoid running executable attachments or programs contained inside unexpected attachments, you should be safe from this threat.
Despite the blunt reference to PGP in its name, suggesting use of a strong cipher, the author of this Trojan used a weak cipher. However, to date, F-Secure is the only company that specifically states that they have a decryption tool.
Symantec recommends that encrypted files be restored from a backup.
McAfee says nothing about how to recover the encrypted files. Consequently, we must assume that their product does not decrypt them.
Kaspersky Labs says that their scanner decrypts the damaged files.
The F-Secure article states that the way to recover the damaged files is to scan all files; no mention is made of a stand alone decryption tool.
The same F-Secure article describes the encryption algorithm in sufficient detail that it should be relatively easy to write a decryptor.
Beware that this is a proof of concept. Other, more effective forms will surely follow.
Acknowledgements
Thanks to my colleague Bill Treloar for calling this new tactic to my attention.
References
I reviewed the following articles in the process of preparing this report.
"A Trojan That Takes Hostages" is at http://www.f-secure.com/weblog/archives/archive-052005.html#00000567.
"F-Secure Virus Descriptions: GPCode" is at http://www.f-secure.com/v-descs/gpcode.shtml, including details about the cipher.
"Security Response: Trojan.GPcoder" is at http://securityresponse.symantec.com/avcenter/venc/data/trojan.gpcoder.html.
McAfee Virus Encyclopedia entry for PGPCoder is at http://vil.nai.com/vil/content/v_133901.htm.
TROJ_PGPCODER.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.A
"Panda Software's Weekly Report on Viruses and Intruders," at http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=6255, is the article that I received from Bill Treloar.
"Analyst's Diary: Using Malware for Extortion Striking but not New" reminds us that extortion by software is not new, though this is a new angle. See http://www.viruslist.com/en/weblog?weblogid=164377138.
This concludes this VirusWarning notice.
David Gray
P6 Consulting
V: +1 (817) 896-1114
F: +1 (817) 294-1830
TZ: USA Central, GMT -5
E: mailto:dagray@p6c.com
W: http://www.p6c.com
6913 Wilton Drive
Fort Worth, TX 76133-6130
USA
You are more important than any technology we may employ
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|