|Detected||Jun 28 2005 09:28 GMT|
|Released||Jun 29 2005 12:05 GMT|
|Published||Jun 28 2005 09:28 GMT|
This file virus is a Windows PE EXE file, packed using UPX. The packed file is approximately 56KB in size, and the unpacked file is approximately 122KB in size.
Once launched, the virus will encrypt files with the following extensions on the victim machine:
arj cdr cgi css csv db dbf dbt dbx doc flb frm frt frx gtd gz htm html kwm mdb mmf pak pdf pl pst pwa pwl pwm rar rmr rtf sar tar tbb txt xls xml zip
The original virus file will be deleted after launch.
The following text can be seen at the beginning of encrypted files:
A file named readme.txt will appear in folders which contain encrypted files. The contents of readme.txt are as follows:
Some files are coded. To buy decoder mail: firstname.lastname@example.org with subject: PGPcoder md56
The text may give a different email address or decrypter version, depending on the version of Virus.Win32.GPCode.
If the user contacts the email address listed in readme.txt, they will receive an answer asking for a specific sum of money in return for decrypting files.
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.