Re: PGPcoder Trojan
From: Juergen Nieveler (juergen.nieveler.nospam_at_arcor.de)
Date: 05/24/05
- Next message: Mathieu: ""Tool.Win32.Reboot""
- Previous message: Axel Pettinger: "Re: PGPcoder Trojan"
- In reply to: Axel Pettinger: "Re: PGPcoder Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 May 2005 13:31:53 GMT
Axel Pettinger <api@worldonline.de> wrote:
> Read Symantec's and/or Trend Micro's description. Both say that the
> trojan drops a batch file which - after the encryption of all target
> files - will delete the trojan. The encryption is the only purpose of
> that trojan - its author wants money for the decryption -, so there's
> no need to keep a copy of the trojan.
In fact it would be foolish to leave the Trojan. Something I missed in
the write-ups was wether the key used to encrypt the files was generated
dynamically (and sent out somewhere else), or wether all copies use the
same key. In the latter case, the key would be hardcoded into the
trojan, so if you find a copy of that you can reverse-engineer it and
get the key out of it. Assuming symetrical encryption was used (which is
likely because it's faster) you'd then be able to decrypt all files.
Juergen Nieveler
-- Dawn is nature's way of telling you to go to bed
- Next message: Mathieu: ""Tool.Win32.Reboot""
- Previous message: Axel Pettinger: "Re: PGPcoder Trojan"
- In reply to: Axel Pettinger: "Re: PGPcoder Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
