Trojan-Ransom.Win32.Gpcode.f

Technical Details

This file virus is a Windows PE EXE file, packed using UPX. The packed file is approximately 56KB in size, and the unpacked file is approximately 122KB in size.

Once launched, the virus will encrypt files with the following extensions on the victim machine:

arj
cdr
cgi
css
csv
db
dbf
dbt
dbx
doc
flb
frm
frt
frx
gtd
gz
htm
html
kwm
mdb
mmf
pak
pdf
pl
pst
pwa
pwl
pwm
rar
rmr
rtf
sar
tar
tbb
txt
xls
xml
zip

The original virus file will be deleted after launch.

The following text can be seen at the beginning of encrypted files:

PGPcoder

A file named readme.txt will appear in folders which contain encrypted files. The contents of readme.txt are as follows:

Some files are coded.
To buy decoder mail: md56@mail.ru       
with subject: PGPcoder md56

The text may give a different email address or decrypter version, depending on the version of Virus.Win32.GPCode.

If the user contacts the email address listed in readme.txt, they will receive an answer asking for a specific sum of money in return for decrypting files.