Trojan-Ransom.Win32.Gpcode.ad

Technical Details

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 61 440 bytes in size, packed using UPX. The unpacked file is approximately 135KB in size.

Once launched, the virus encrypts files with the following extensions:

3ds
3dx
acd
ace
ai
arc
arh
arj
c
cdr
cgi
chm
cnt
cpp
css
csv
db
db1
db2
dbf
dbt
dbx
dic
doc
dsc
dwg
dxf
eps
fax
fla
flb
frm
frt
frx
gtd
gz
gzip
h
ha
htm
html
jar
key
kwm
lst
lzh
ma 
man
mar
mdb
mmf
mo
old
p12
pak
pdf
pem
pfx
pgp
pl
ppt
prf
prx
ps
pst
pwa
pwl
pwm
rar
rle
rmr
rnd
rtf
safe
sar
sig
sln
swf
tar
tbb
tex
tga
txt
xcr
xls
xml
zip
zoo

The virus partially uses the RSA 67 bit algorithm to encrypt files.

Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.

The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:

The email address used may differ from variant to variant.

If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.

Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.

In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.

Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.

Removal instructions

1. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
2. If your files remain encrypted after scanning with Kaspersky Anti-Virus, please send a sample file to our Virus Lab (newvirus@kaspersky.com).