Internet threat level: 1
Home→Descriptions→Trojan-Ransom.Win32.Gpcode.af
Trojan-Ransom.Win32.Gpcode.af
| Detected | Jun 06 2006 21:39 GMT |
| Released | Jun 07 2006 00:44 GMT |
| Published | Jun 07 2006 11:53 GMT |
Removal instructions
Technical Details
This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 64512 bytes in size, packed using UPX. The unpacked file is approximately 147KB in size.
This malicious program was distributed throughout the Russian Internet using spammer technologies.
Once launched, the virus encrypts files with the following extensions:
12m 3ds 3dx 4ge 4gl a a86 abc acd ace act ada adi aex af3 afd ag4 ai aif aifc aiff ain aio ais akf alv amp ans ap apa apo app arc arh arj arx asc ask bb bcp bdb bh bib bsa btr bup bwb bz c c86 cac cat cbl cc cdb cdr cgi cmd cnt cob col cpp cpt crp cru csc css csv ctx cvs cwb cwk cxe cyp d db db0 db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbk dbm dbo dbq dbt dbx dic dif dm dmd doc dok dox dsc dwg dxf dxr eps exp f fas fax fdb fla flb fm fox frm frt frx fsl gtd gz gzip h ha hh hjt hog htm html htx ice icf ihtml ish jar jsp key kwm lst lwp lzh lzs lzw ma mak man maq mar mbx mdb mdf mmf mo myd old p12 pak pdf pem pfx pgp pl pm3 pm4 pm5 pm6 ppt prf prx ps pst pw pwa pwl pwm pwp pxl rar rle rmr rnd rtf safe sar sig sln swf tar tbb tex tga txt vp xcr xls xml zip zoo
The virus partially uses the RSA 330 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.
The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:
To buy decoder mail: k6**89@mail.ru
with subject: REPLY
The email address used may differ from variant to variant.
If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.
Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.
Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.
Removal instructions
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
- If your files remain encrypted after scanning with Kaspersky Anti-Virus, please send a sample to our Virus Lab (newvirus@kaspersky.com).
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.
Trojan-Ransom.
- Virus.
Win32. Gpcode. af (Kaspersky Lab) - Trojan:
GPcoder. e (McAfee) - Mal/Generic-A (Sophos)
- Heuristic.
WinPE-Statistical (Panda) - W32/TrojanX.
ERL (FPROT) - Trojan:
Win32/Gpcode. C (MS(OneCare)) - Trojan.
Encoder. 6 (DrWeb) - Win32/Gpcode.
AD trojan (Nod32) - MemScan:
Trojan. Gpcode. E (BitDef7) - Win32:
GPCode-D (AVAST) - Virus.
Win32. Gpcode (Ikarus) - Generic.
XVS (AVG) - TR/Crypt.
ULPM. Gen (AVIRA) - W32/Smalltroj.
CIXK (Norman) - GPcoder.
e (NAI) - Harm.
Gpcode. c (Rising) - TROJ_PGPCODER.
G (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.