Jump to content


How to prevent d/l'g Trojan.Pgpcoder??

  • Please log in to reply
5 replies to this topic

#1 mja616



  • Full Member
  • Pip
  • 27 posts

Posted 24 May 2005 - 06:12 PM

I read this today, did a search here, and when I found no discussion on it, I really started to get scared!

Anyone know how to prevent this from ending up on your computer?


In a new type of online attack, extortionists remotely encrypt user files and then demand money for the key to decode the information.
In a case documented by San Diego-based Web security company Websense, the attack occurs after a user visits a Web site containing code that exploits a known flaw in Microsoft's Internet Explorer Web browser. The flaw is used to download and run a malicious program that in turn downloads an application that encrypts files on the victim's PC and mapped network drives, according to Websense. The program then drops a ransom note.

Even though this type of attack is not widespread at this point, Internet users should be aware of the threat, said Oliver Friedrichs, a senior manager at Symantec Security Response. "It is certainly concerning. This is the first time that we have seen cryptography used in this type of attack to hold your information hostage," he said.

"I would see this as the equivalent of somebody coming into your house, putting your valuables in a safe and not telling you the combination," Friedrichs said.

Researchers at Symantec have seen the malicious program used in the ransom attack. The "Trojan.Pgpcoder" searches a victim's hard disk drive for 15 common file types, including images and Microsoft Office file types. It then encrypts the files, removes the originals and drops a note asking $200 for the encryption key, Friedrichs said.

A Websense customer fell victim to the attack. Luckily, in this case the encryption wasn't very sophisticated and Websense was able to decode the customer's files, said Dan Hubbard, senior director of security and research at Websense. "In this case we could help, but every variant can be different," he said.

Attackers could use e-mail, a Web site, or other means to distribute the Trojan.Pgpcoder and launch a widespread extortion campaign, Symantec's Friedrichs said.

Websense, however, doesn't see a trend yet. Attackers leave a trail if they ask for money, Hubbard said: "This type of attack is not that difficult to perform. However, in order to collect money the attackers are leaving themselves open to investigation and tracing."

For protection, users should run security software and make sure that their software is patched, Websense and Symantec said. The Internet Explorer flaw exploited to attack the user in the Websense case was patched in July last year.

The Websense customer was victimized two weeks ago. The Web sites involved in the attack have since been taken down.

#2 Misereor



  • Full Member
  • Pip
  • 84 posts

Posted 25 May 2005 - 01:55 AM

This particular exploit uses a known flaw in Internet Explorer.

So either make sure your computer is fully updated, or switch to another browser.

#3 Pierre (aka Terdef)

Pierre (aka Terdef)


  • Ambassador
  • Pip
  • 18 posts

Posted 30 May 2005 - 06:27 AM


This was a flaw in Internet Explorer, corrected by MS04-023 - Vulnerability in HTML Help Could Allow Code Execution - in July 2004!

Every body must have an up to date patched Windows, even if he does not use Internet Explorer).

More info on


Symantec - Norton



eTrust (CA)


Assiste.com - Asap

In case of contamination, use this hotfix :
Name: Restore_GpcodeB.ZIP
Taille: 71.7KB
- GPcodeB_clean.exe
Size: 168 KB
MD5: 6B151167939BE0C20BD5095475F5004C
- Readme.txt

Edited by Pierre (aka Terdef), 30 May 2005 - 08:19 AM.

Pierre (aka Terdef)
Assiste.com - ASAP
Computers security, Internet privacy and dirty tricks

#4 LostAccount


    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 30 May 2005 - 08:40 AM

Many trojans use this exploit... including CWS... I think Merijn's Bugoff protects against this by using a workaround (so it may break HTML Help)... just patch your system early.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#5 mja616



  • Full Member
  • Pip
  • 27 posts

Posted 22 October 2005 - 08:57 AM

Thank you all for this insight!

#6 nl255



  • Full Member
  • Pip
  • 54 posts

Posted 11 November 2005 - 11:22 AM

This is NOT a new tactic, the AIDS Information trojan did the same thing in 1989. It was sent by the PC Cyborg Corporation (which wasn't a real company) from Panama to people on a 5.25 inch (remember those?) floppy disk. He even tried to use an EULA to protect himself from prosecution but that failed, though he was later found unfit to stand trial. You can find more information about the old AIDS Information trojan at http://ciac.llnl.gov...tins/a-10.shtml . The only differences are that this uses an exploit instead of a manual install and it uses the Internet instead of the post office. Extortionware is not new, the reason it hasn't been done more is because it is relatively easy to find the people responsible by following the money trail.

Edited by nl255, 11 November 2005 - 11:23 AM.

Member of UNITE
Support SpywareInfo Forum - click the button