Virus Profile: GPcoder

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/20/2005
Date Added: 5/20/2005
Origin: N/A
Length: 56,832 bytes
Type: Trojan
Subtype: Win32
DAT Required: 4496
Removal Instructions


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

- File overwritten with "garbage" (encrypted data).
- Presence of aforementioned ATTENTION!!!.txt files.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.


GPcoder, TROJ_PGPCODER.A (Trend), Trojan.Pgpcoder (Symantec), Virus.Win32.Gpcode.b (Kaspersky)

Virus Characteristics

This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.

When run this trojan searches for files using the following extensions:

  • pgp
  • asc
  • db2
  • db1
  • db
  • jpg
  • html
  • htm
  • dbf
  • rar
  • zip
  • rtf
  • txt
  • doc
  • xls

Found documents are encoded and a text file named ATTENTION!!!.txt is placed in the directory containing the following text:

Some files are coded.
To buy decoder mail: n {removed}    
with subject: PGPcoder 000000000032

The following registry key is created:

  • HKEY_CURRENT_USER\Software\Microsoft\Sysinf "cur_not_done"

During testing, the trojan also contained a meaningless registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "services" = C:\Documents

The intention here is for the trojan to configure itself to run at system startup, however the program contains a bug such that directories containing spaces are not handled properly.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!