Malware authors continue to use extortion

 
A new Trojan, PGPCoder.B, encrypts files in the computer and asks for a ransom to restore the computer to its original status.

TOP STORIES Government intervenes in warrantless wiretapping lawsuit Commtouch unveils image-based spam defense Verizon sued over NSA surveillance US spy agency building database of every call ever made Email bomber heads back to court Zombie master Jeanson Ancheta sentenced to 5 years in prison New York man to settle in Washington's first spyware case US demand for college wiretaps questioned Russian virus distributor convicted Corporate instant messaging on the rise Court slams former spam king over spyware Hacker charged with stealing information from military MPAA releases new piracy loss data Spam King Alan Ralsky not jailed Consumers in the dark about latest tech buzzwords more

PandaLabs has detected the appearance of PGPCoder.B, a Trojan designed to blackmail users by encrypting the files in the computers they affect and asks the user to buy an application in order to restore them to their original status.

The new variant is more powerful than its predecessor, as it can encrypt more file types. These files include those belonging to the most widely-used applications in the Microsoft Office suite (such as Word or Outlook), and the most common compressed file formats, like zip, rar or arj. Similarly, the creator of this Trojan has slightly changed the encryption algorithm it uses.

"It is highly probable that the author of this new Trojan is the same as the creator of the original one. The biggest difference we have seen in this version, up until now, is that it affects more file types. However, as it has taken over a month for this new version to be unleashed, it is possible that the author is taking time to perfect his creation. This does not mean however, that in the meantime, other variants won’t be released, to help him make ends meet," explains Luis Corrons, director of PandaLabs.

PGPCoder.B cannot propagate by itself, and therefore, it must be distributed directly by the author. This can be done through many different means: Internet downloads, FTP, storage devices, P2P file sharing networks, etc.

If the user runs the file carrying PGPCoder.B, the Trojan encrypts all the files with certain extensions it finds on the computer. In exchange, it leaves a text file in the folder in which the encrypted file was stored which contains the following message:

Some files are coded.
To buy decoder mail: md56@mail.ru
with subject: PGPcoder md56

Then it inserts several entries in the Windows Registry indicating the number of files it has encrypted on the system, for example. Finally the Trojan self-destructs. To do this, it creates a self-executable file which deletes PGPCoder.B from the system.

"The appearance of PGPCoder.B is yet further proof that currently the main aim of malware authors is financial gain. Bear in mind that this Trojan has been designed exclusively to make money. This, along with other types of online fraud like phishing or pharming, present a dangerous outlook for users. Our advice is to always use the appropriate security measures to protect systems, above all because not only files and computers are at risk, but also the user's bank balance," concludes Corrons.

RELATED STORIES
May 23, 2005 New cyber extortion attack holds files hostage

 
Save to Yahoo! My Web

Submit to Fark

Add to Del.icio.us

Add to Ma.gnolia

Submit to Reddit

Submit to Slashdot

Submit to NowPublic
 

E-mail this story     Printer-friendly version     Bookmark this page