[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Wednesday, 25 May, 2005, 17:13 GMT 18:13 UK
Trojan holds PC files for ransom
Screenshot of message with instructions
The trojan turns files into gobbledegook, holding them to "ransom"
A unique new kind of malicious threat which locks up files on a PC then demands money in return for unlocking them has been identified.

The program, Trojan.Pgpcoder, installs itself on a vulnerable computer after users visit certain websites.

It exploits a known vulnerability in Microsoft's Internet Explorer (IE).

Net security firm Symantec said the program had not spread quickly, but was another example of rising criminal extortion activity on the net.

The malware - harmful software - was first identified by US net security firm Websense.

Ransom note

The program, once it installs itself unbeknown to a user, triggers the download of an encoder application which searches for common types of files on a computer and networked drives to encrypt.

STAYING SAFE ONLINE
Install anti-virus software
Keep your anti-virus software up to date
Install a personal firewall
Use Windows updates to patch security holes
Do not open e-mail messages that look suspicious
Do not click on e-mail attachments you were not expecting

When a file is encrypted, usually for security and privacy purposes, it can only be decrypted with specific instructions.

The trojan replaces a user's original files with locked up ones, so that they are inaccessible. It then leaves a "ransom note" in a text file.

Instructions to release the files are only handed over when a ransom fee is paid, according to Websense.

The electronic note left on the computer gives details of how to meet the demands via an online account.

TROJAN.PGPCODER
Malicious website drops and runs a Trojan (downloader-aag)
Encoding program adds items to the Windows start-up registry
Creates a status file called "autosav.ini" with information on the files that have been encoded
Creates a file called tmp.bat in the directory where it was run to delete itself upon completion
Creates a file called "Attention!!!" with instructions on how to get your files decoded
Sends an HTTP status request to the server it was downloaded from
"This attack is yet another indicator of the growing trend of criminals using technology for financial gain," said Kevin Hogan, senior manager at web security firm Symantec.

"This Trojan horse is certainly an example of using cryptography for malicious purposes.

"It is the equivalent of someone coming into your home, locking your valuables in a safe and refusing to give you the combination."

But because it is classed as a trojan, it does not send itself out to contacts that a user might have stored on a computer, like viruses. This limits its ability spread around to high levels, "in the wild", said Symantec.

Computer users are urged to ensure their anti-virus and security software is up-to-date.


SEE ALSO:
Latest coup for hi-tech crime unit
17 Mar 05 |  Technology
Hi-tech crime costs UK plc 2.4bn
05 Apr 05 |  Business
Hi-tech thieves target businesses
01 Oct 04 |  Technology
Rich pickings for hi-tech thieves
25 Jan 05 |  Technology
The spies watching while you type
17 Mar 05 |  Technology


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific