MoMusings

A new malware was reported by Symantec on the 22nd of May 2005 that does something rather nasty with certain file types; it makes an encrypted copy of the file and then deletes the original, effectively denying you access to your own files!

This new malware is known as:

• Virus.Win32.Gpcode.b [Kaspersky Lab]
• PGPcoder [McAfee]
• TROJ_PGPCODER.A [Trend Micro]
• Trojan.Pgpcoder [Symantec]

It affects all Windows platforms; Mac and *NIX systems are not affected [nothing much new there then].

The files it targets are the ones with the following extensions:
.asc, .db, .db1, .db2, .dbf, .doc, .htm, .html, .jpg, .pgp, .rar, .rtf, .txt, .xls, .zip

Each folder that contains encoded files will contain a file called ‘ATTENTION!!!.txt’. The contents of the file is the following:

Some files are coded.
To buy decoder mail: [user]@yahoo.com
with subject: PGPcoder 000000000032

As with most modern malware it also modifies the registry to ensure its automatic execution every Windows system startup.

Once all suitable files on the infected systems have been successfully encoded [both on the local infected system, and any writeable network shares the infected system has access to], it will remove itself by creating and running a file called ‘c:\tmp.bat’; it will even delete the batch file too.

The original version [Virus.Win32.Gpcode.a] was found in December of 2004 and interestingly Kaspersky also found the second variant later that month, so why has it taken Symantec [and other AV vendors] so long to add detection to their products?

The thing is, that this type of cyber extortion is not new, in fact botnets are often used to extort money; “pay up or we will DDoS you off the internet” is the common threat used by modern cyber-extortionists. One of the first cases occurred back in 1989 [which I will cover below]. At that time most malicious software were a mere gleam in the eye of the malware author, who may well have been nothing more than a gleam in the eye of their father at that time too.

The first case of cyber extortion using malware I personally saw, and remember is the famous AIDS Information Disk. Let us travel back into the murk of malware history…

According to Virus Bulletin “some twenty thousand envelopes containing a 5.25 inch floppy disk [if you remember what they are, see picture] were bulk mailed from London to computer users in the UK, Europe, Africa, Scandinavia, and Australia. The disks, which were DOS compatible, were marked ‘Aids Information Diskette Version 2.0′ and encouraged the recipient to insert the disk and install its contents on the computer.”

If the recipient complied and installed the software, the program would modify the AUTOEXEC.BAT so that every time it was executed a hidden counter program incremented by one. Once the counter reached 90, the data on the trojanised hard disk in the system was encrypted. The affected user was then informed by a message on the screen that the only way to get the data back was to pay the licensing fee to PC Cyborg Corporation.

The license agreement was printed on a a blue leaflet that accompanied the diskette and printed in ‘very’ small print. This urged the user to send $189 or $378 to a post office box in Panama.

The program was clearly an attempt to extort money from unsuspecting users (the program actually conducted an AIDS risk factor questionnaire, so that users might have considerable reason to be nervous about their data), and therefore more likely to pay-up and less likely to contact the authorities.

The perpetrator of this scam was one Dr. Joseph Popp, who was identified when he began behaving strangely in Schipol Airport, Amsterdam. An alert security guard who inspected Popp’s luggage spotted a rubber stamp bearing the name PC Cyborg Corporation. Popp was later extradited to the UK to await trial. During his stay at Her Majesty’s pleasure, he was reported to be wearing hair curlers in his beard, and a condom on his nose, apparently ‘in order to ward off radiation’. Not surprisingly, he was found unfit to be tried and returned to the USA. However, he was later convicted, in absentia, by Italian courts.

Personally, I prefer the method used in Black Adder Goes Forth [Episode 6. “Plan F: Goodbyeee…” ], which uses a couple of pencils and a pair of underpants [preferably clean]. The pencils are inserted into the nostrils [one in each] and the underpants are worn on the head. The final piece of this cunning ‘insanity ploy’, is to answer every question with the word ‘Wibble’, preferably used in multiples.

Links:
http://www.virusbtn.com/resources/malwareDirectory/about/history.xml