In late May 2005 an extortionate trojan exploiting a well-known vulnerability of Microsoft Internet Explorer (MS04-023) was widely circulated. As usual, anti-virus vendors are using a variety of names for the malware:
- Troj/Gpcode-B (Sophos)
- TROJ_PGPCODER.A (Trend Micro)
- PGPcoder (McAfee)
- Trojan.Pgpcoder (Symantec)
- Win32.Gpcode.B (CA)
- Virus.Win32.GPCode.b (Kaspersky Lab)
The trojan downloads and executes malicious codes, then encodes all files found on the storage media with these extensions: ASC, DB, DB1, DB2, DBF, DOC, HTM, HTML, JPG, PGP, RAR, RTF, TXT, XLS, ZIP. Then the trojan drops a text file named ATTENTION!!!.txt which says:
Some files are coded.
To buy decoder mail: n{removed}@yahoo.com
with subject: PGPcoder 000000000032
The Trojan adds registry keys so that it will be run on startup.
The intention of the “cyber-kidnappers” is to ask for a US$200 ransom from users to decode the files hostages. Some security experts refer this kind of trojan as “ransom-ware”. No doubt, the relevant police forces are making efforts to trace the bank transactions, but intelligent criminals will have made efforts to obscure the trail. Even if the criminals are caught, victims may never recover their encrypted data.
The security patch of Microsoft Internet Explorer for that vulnerability was issued on 12th July 2004. Users are recommended to:
- backup their data frequently,
- patch the operating system with latest security patches,
- install anti-virus software with latest virus definition signatures included and with on-access scanning turned on,
- install server-side/client-side firewall hardware/software if possible,
- download the latest version of Microsoft Internet Explorer with latest patches installed, or use another web browser.
The encrypt-and-extort technique is not new, possibly the first use was in December 1989 when the “AIDS Diskette” was sent out by mail on 5.25 inch floppies.