Content
GPcoder
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 05/20/2005
- Length
- 56,832 bytes
- Minimum DAT
- 4496 (05/20/2005)
- Updated DAT
- 5076 (07/17/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 05/20/2005
- Description Modified
- 06/09/2006 1:47 AM (PT)
Tab Navigation
Characteristics
This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.
When run this trojan searches for files using the following extensions:
- pgp
- asc
- db2
- db1
- db
- jpg
- html
- htm
- dbf
- rar
- zip
- rtf
- txt
- doc
- xls
Found documents are encoded and a text file named ATTENTION!!!.txt is placed in the directory containing the following text:
| Some files are coded. To buy decoder mail: n {removed} @yahoo.com with subject: PGPcoder 000000000032 |
The following registry key is created:
- HKEY_CURRENT_USER\Software\Microsoft\Sysinf "cur_not_done"
During testing, the trojan also contained a meaningless registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "services" = C:\Documents
The intention here is for the trojan to configure itself to run at system startup, however the program contains a bug such that directories containing spaces are not handled properly.
Symptoms
- File overwritten with "garbage" (encrypted data).
- Presence of aforementioned ATTENTION!!!.txt files.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- GPcoder
- TROJ_PGPCODER.A (Trend)
- Trojan.Pgpcoder (Symantec)
- Virus.Win32.Gpcode.b (Kaspersky)
Characteristics
Characteristics -
This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.
When run this trojan searches for files using the following extensions:
- pgp
- asc
- db2
- db1
- db
- jpg
- html
- htm
- dbf
- rar
- zip
- rtf
- txt
- doc
- xls
Found documents are encoded and a text file named ATTENTION!!!.txt is placed in the directory containing the following text:
| Some files are coded. To buy decoder mail: n {removed} @yahoo.com with subject: PGPcoder 000000000032 |
The following registry key is created:
- HKEY_CURRENT_USER\Software\Microsoft\Sysinf "cur_not_done"
During testing, the trojan also contained a meaningless registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "services" = C:\Documents
The intention here is for the trojan to configure itself to run at system startup, however the program contains a bug such that directories containing spaces are not handled properly.
Symptoms
Symptoms -
- File overwritten with "garbage" (encrypted data).
- Presence of aforementioned ATTENTION!!!.txt files.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants -
N/A
