Jump to content

PGPCoder

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Underpants (talk | contribs) at 16:33, 30 September 2008 (rewrite paragraph about recovery methods, this time with cites). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Gpcode
Technical nameTrojan.PGPCoder, Virus.Win32.Gpcode
ClassificationTrojan

PGPCoder, also known as GPCode, is a trojan that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, dubbed ransomware or cryptovirology.

Once installed on a computer, the trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.

Once it has been run, the trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats).

GPcode uses the ADD instruction on the plaintext with an 8-bit encryption key. The starting value of the encryption key is 0x3a and it is changed using the fixed values 0x25 and 0x5c after the encipherment of each subsequent byte of plaintext.

The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.

While a few Gpcode variants have been successfully implemented[1], many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.[2] Variant Gpcode.ak writes the encrypted file to a new location, and deletes the unencrypted file. This allows an undeletion utility to recover some of the files.[3] Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files.[4] Variant Gpcode.am uses symmetric encryption, and so makes decryption easy.[5]

References

  1. ^ "Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus". 2008-06-09.
  2. ^ "Blackmailer: the story of Gpcode". Kaspersky Labs. 2006-07-26.
  3. ^ "Restoring files attacked by Gpcode.ak". Kaspersky Labs. 2008-06-13.
  4. ^ "Another way of restoring files after a Gpcode attack". 2008-06-26.
  5. ^ "New Gpcode - mostly hot air". publisher=Kaspersky Labs. 2008-08-14. {{cite web}}: Missing pipe in: |publisher= (help)
Retrieved from "https://en.wikipedia.org/w/index.php?title=PGPCoder&oldid=242030232"