PGPcoder Trojan



solstiz
07-09-2005, 11:48 PM
Suspected that my PC is being infected by PGPcoder Trojan.
http://vil.nai.com/vil/content/v_133901.htm
http://www.authentium.com/support/AVMatrix/VirusDetail.aspx?RefNo=715

All my files have been encrypted and i can no longer access them!!! anyone
have any idea how to recover my files? They are really important to me...

distressed
solstiz

Axel Pettinger
07-09-2005, 11:48 PM
solstiz wrote:
>
> Suspected that my PC is being infected by PGPcoder Trojan.
> http://vil.nai.com/vil/content/v_133901.htm
> http://www.authentium.com/support/AVMatrix/VirusDetail.aspx?RefNo=715
>
> All my files have been encrypted and i can no longer access them!!!

What means you "can no longer access them"? If you're really hit by the
PGPcoder trojan then your files are still accessible but cannot be read
anymore because they're encoded. What else makes you think you're
infected with it?

Can you find the file c:\tmp.bat on your computer? Can you read the
string "PGPcoder" at the beginning of encoded files? Or do you have an
anti virus scanner which identified the trojan?

> anyone have any idea how to recover my files? They are really
> important to me...

Other descriptions:

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPGPCODER%2EA&VSect=T
http://www.sarc.com/avcenter/venc/data/trojan.pgpcoder.html

From Websense's description it seems that the reason for an "infection"
with the PGPcoder trojan is an unpatched version of the Internet
Explorer and a visit of a malicious web site.

Make sure you regularly visit windowsupdate.microsoft.com to patch your
computer.

The recently detected PGPcoder trojan is obviously only a variant of a
trojan which was already found more than five months ago.

The first variant is detected as "Virus.Win32.Gpcode.a" [Kaspersky] aka
"Trojan.Redop" [Symantec] aka "W32/Gpcode" [McAfee] aka "Win32/Gpcode.A"
[Grisoft]. It seems that only Kaspersky remembered it because they
detect the newer variant as the B variant while McAfee and Symantec use
different names for it.

Nevertheless, I might have something interesting for you ... :)

If your files are really encoded because of the PGPcoder trojan then you
could ask Kaspersky Labs (newvirus<@>kaspersky<.>com) whether they can
help you. They've already added a decryption routine to their databases
for the A variant (see the following article). Maybe their anti virus
scanner can already decrypt files encrypted by the B variant ...

http://www.viruslist.com/en/weblog?discuss=156387172&return=1

Regards,
Axel Pettinger

David H. Lipman
07-09-2005, 11:48 PM
From: "solstiz" <solstiz@discussions.microsoft.com>

| Suspected that my PC is being infected by PGPcoder Trojan.
| http://vil.nai.com/vil/content/v_133901.htm
| http://www.authentium.com/support/AVMatrix/VirusDetail.aspx?RefNo=715
|
| All my files have been encrypted and i can no longer access them!!! anyone
| have any idea how to recover my files? They are really important to me...
|
| distressed
| solstiz



Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Edit the file; C:\mcafee\killproc.txt
Append to the list in the file; encoder32.exe
Make sure the last line is an empty line.


Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Axel Pettinger
07-09-2005, 11:48 PM
"David H. Lipman" wrote:
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the
> McAfee Command Line Scanner.

McAfee seems not to be able to decrypt files encrypted by the PGPcoder
trojan. And it's possible that the trojan did already delete itself. So
a scan with McAfee's command line scanner won't help much (in this case)
....

Regards,
Axel Pettinger

David H. Lipman
07-09-2005, 11:48 PM
From: "Axel Pettinger" <api@worldonline.de>

| "David H. Lipman" wrote:
>>
>> GETFILES.BAT -- For downloading (FTP) the files needed to run the
>> McAfee Command Line Scanner.
|
| McAfee seems not to be able to decrypt files encrypted by the PGPcoder
| trojan. And it's possible that the trojan did already delete itself. So
| a scan with McAfee's command line scanner won't help much (in this case)
| ...
|
| Regards,
| Axel Pettinger

Axel:

There was nothing in the write-up that indicates that encoder32.exe deletes itslef.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Axel Pettinger
07-09-2005, 11:48 PM
"David H. Lipman" wrote:
>
> There was nothing in the write-up that indicates that encoder32.exe
> deletes itslef.

Read Symantec's and/or Trend Micro's description. Both say that the
trojan drops a batch file which - after the encryption of all target
files - will delete the trojan. The encryption is the only purpose of
that trojan - its author wants money for the decryption -, so there's no
need to keep a copy of the trojan.

Regards,
Axel Pettinger

Juergen Nieveler
07-09-2005, 11:48 PM
Axel Pettinger <api@worldonline.de> wrote:

> Read Symantec's and/or Trend Micro's description. Both say that the
> trojan drops a batch file which - after the encryption of all target
> files - will delete the trojan. The encryption is the only purpose of
> that trojan - its author wants money for the decryption -, so there's
> no need to keep a copy of the trojan.

In fact it would be foolish to leave the Trojan. Something I missed in
the write-ups was wether the key used to encrypt the files was generated
dynamically (and sent out somewhere else), or wether all copies use the
same key. In the latter case, the key would be hardcoded into the
trojan, so if you find a copy of that you can reverse-engineer it and
get the key out of it. Assuming symetrical encryption was used (which is
likely because it's faster) you'd then be able to decrypt all files.

Juergen Nieveler
--
Dawn is nature's way of telling you to go to bed

solstiz
07-09-2005, 11:49 PM
Problem solved.... found the key and obtained a de-coder......


PGPcoder Trojan