You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

PGPCoder.A

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

PGPCoder.A encrypts all the files with any of the following extensions: ASC, DB, DB1, DB2, DBF, DOC, HTM, HTML, JPG, PGP, RAR, RTF, TXT, XLS and ZIP.

These extensions include Word documents, Excel spreadsheets, text files, JPG pictures, files compressed using WinZip and WinRAR, etc.

The user will not be able to open those files until they are decrypted. PGPCoder.A instructs users to send a message to an email address so that they can buy the decrypter.

Infection strategy 

PGPCoder.A creates the following files:

  • TMP.BAT in the root directory of the C: drive. Once PGPCoder.A encrypts the files, this batch file deletes the Trojan file from the hard drive.
  • ATTENTION!!!.TXT. It creates a file like this in each subfolder in which it has encripted any file. This text file contains the following message:
    Some files are coded.
    To buy decoder mail: n781567@yahoo.com
    with subject: PGPcoder 000000000032
  • AUTOSAVE.SIN in the Windows temporary directory.

PGPCoder.A modifies all the files with an ASC, DB, DB1, DB2, DBF, DOC, HTM, HTML, JPG, PGP, RAR, RTF, TXT, XLS and ZIP extension, as it encrypts them.

 

PGPCoder.A creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Sysinf
    cur_not_done =     %variable DWORD%
    where %variable DWORD% is the number of files that the Trojan has encrypted.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    services = %path%\ %file%
    where %path% is the path to the directory where the Trojan file, which has a random name %file%, has been run.
    By creating this entry, PGPCoder.A ensures that it is run whenever Windows is started.
    Bear in mind that due to some programming errors, if the path contained any blank espaces, it will be truncated to the first one. For example: C:\ Program Files would be truncated to C:\ Program.

Means of transmission 

PGPCoder.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

PGPCoder.A is written in the programming language Visual C++. This Trojan is 56,832 bytes in size, and it is compressed with UPX.

Internally, files encrypted by PGPCoder.A begin with the text string PGPcoder 000000000032.