Panda Security’s weekly report on viruses and intruders
June 2008 by Panda
This week’s PandaLabs report looks at the PGPCoder.E and NoFreedom.A Trojans, as well as an application for creating worms, called Constructor/Wormer.
PGPCoder.E is a ransomware Trojan, i.e. it is designed to seize information and blackmail the user into paying to recover it. It does this by encrypting all non-operating-system files (such as those with DOC, XLS, PDF, TXT, JPG, BMP, etc. extensions) contained on a computer when the file containing PGPCoder.E is run.
At the same time, it releases two files. One of these is called ¡_READ_ME_!.txt, and contains a message informing users that the files have been encrypted and that to obtain the tool for decrypting them, they have to write to a certain email address.
The second file has the same name as the malware, but with a .vbs extension. This file displays a message similar to the one described above.
NoFreedom.A on the other hand, reaches computers in a file called svch0st.exe with a peculiar icon. When run, it opens Internet Explorer and connects to YouTube to show a video of a certain cartoon series.
However, at the same time it creates several files and Windows registry entries, hiding the clock in the taskbar, disabling permissions to shut down or restart the PC and preventing the task manager from being run.
Finally today, Constructor/Wormer is a tool for creating worms through a console in Visual Basic.
Among other characteristics, this malicious tool includes options for compressing the malicious code created, enabling MuteX and selecting the icons to use. The most curious option however, is that users can choose to prevent the malicious code created from infecting removable drives, such as pen drives, etc.