Trj.PGPCoder.A

computer virus
Common name=Gpcode
Technical name=Trojan.PGPCoder, Virus.Win32.Gpcode
Classification=Trojan
Fullname=Trojan.PGPCoder
IsolationDate=2005-05-20

PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, dubbed ransomware or cryptovirology.

Trojan

Once installed on a computer, the trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.

Once it has been run, the trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include .doc, .html, .jpg, .xls, .zip and .rar.

The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $100-200 to an e-gold or Liberty Reserve account. [cite web|url=http://rump2008.cr.yp.to/6b53f0dad2c752ac2fd7cb80e8714a90.pdf|title=Cryptanalysis of the Gpcode.ak ransomware virus|author=Eran Tromer|acccessdate=2008-09-30]

Efforts to combat the trojan

While a few Gpcode variants have been successfully implemented [cite web|url=http://www.kaspersky.com/news?id=207575651|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus|date=2008-06-09] , many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken. [cite web|url=http://www.viruslist.com/en/analysis?pubid=189678219|title=Blackmailer: the story of Gpcode|date=2006-07-26|publisher=Kaspersky Labs] Variant Gpcode.ak writes the encrypted file to a new location, and deletes the unencrypted file, and this allows an undeletion utility to recover some of the files. Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files. [cite web|url=http://support.kaspersky.com/faq/?qid=208279822|title=Utilities which fight Virus.Win32.Gpcode.ak|date=2008-06-25|publisher=Kaspersky Lab] [cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187531|title=Restoring files attacked by Gpcode.ak|publisher=Kaspersky Labs|date=2008-06-13] [cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187538|title=Another way of restoring files after a Gpcode attack|date=2008-06-26] Variant Gpcode.am uses symmetric encryption, which made key recovery very easy. [cite web|url=http://www.viruslist.com/en/weblog?weblogid=208187565|title=New Gpcode - mostly hot air|date=2008-08-14|publisher=Kaspersky Labs]

Kaspersky Lab has been able to make contact with the author of the program, and verify that they are the real author, but have so far been unable to determine his real world identity. [cite web|url=http://www.techworld.com/security/news/index.cfm?newsid=105043|title=Police 'find' author of notorious virus|date=2008-09-30|publisher=TechWorld]

References

External links

* Kaspersky Lab
** [http://www.kaspersky.com/find?words=gpcode&search=Search Kaspersky Lab blog posts]
** [http://forum.kaspersky.com/index.php?showforum=91 Kaspersky Lab forum dedicated to GPCode]
** [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky Lab virus descriptions]
** [http://downloads1.kaspersky-labs.com/utils/stopgpcode/ StopGPCode trojan removal utilties]
* Other virus description databases
** [http://www.f-secure.com/v-descs/gpcode.shtml F-Secure]
** [http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99 Symantec]
** McAfee: [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=133901 GPCoder] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139824 GPCoder.e] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139907 GPCoder.f] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139906 GPCoder.g] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142712 GPCoder.h] [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=145334 GPCoder.i]
** Trend Micro: [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.A TROJ_PGPCODER.A] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.B TROJ_PGPCODER.B] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.C TROJ_PGPCODER.C] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.D TROJ_PGPCODER.D] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.E TROJ_PGPCODER.E] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.F TROJ_PGPCODER.F] [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PGPCODER.G TROJ_PGPCODER.G]
** [http://www.threatexpert.com/report.aspx?md5=7CD8E2FC5FE2DC351F24417CC1D23AFA ThreatExpert]


Wikimedia Foundation. 2010.

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.