English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Ransom.Win32.Gpcode.ak

Detected Jun 04 2008 14:39 GMT
Released Jun 04 2008 18:32 GMT
Published Jun 05 2008 16:48 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 8030, bytes in size.


Payload

Once launched, the virus creates the following mutex in memory in order to flag its presence in the system: _G_P_C_.

The virus then starts consecutively scanning all logical disks for files to encrypt. The virus encrypts all user files with the extensions listed below:

7z abk abd acad
arh arj ace arx
asm bz bz2 bak
bcb c cc cdb
cdw cdr cer cgi
chm cnt cpp css
csv db db1 db2
db3 db4 dba dbb
dbc dbd dbe dbf
dbt dbm dbo dbq
dbx Djvu doc dok
dpr dwg dxf ebd
eml eni ert fax
flb frm frt frx
frg gtd gz gzip
gfa gfr gfd h
inc igs iges jar
jad Java jpg jpeg
Jfif jpe js jsp
hpp htm html key
kwm Ldif lst lsp
lzh lzw ldr man
mdb mht mmf mns
mnb mnu mo msb
msg mxl old p12
pak pas pdf pem
pfx php php3 php4
pl prf pgp prx
pst pw pwa pwl
pwm pm3 pm4 pm5
pm6 rar rmr rnd
rtf Safe sar sig
sql tar tbb tbk
tdf tgz txt uue
vb vcf wab xls
xml

The virus uses Microsoft Enhanced Cryptographic Provider v1.0 (built into Windows) to encrypt files. Files are encrypted using the RC4 algorithm. The encryption key is then encrypted using an RSA public key 1024 bits in length which is in the body of the virus.

The RSA encryption algorithm divides encryption keys into public and private. Only the public key is needed to encrypt messages. An encrypted message can be decrypted only using the private key.

The virus creates an encrypted copy of each original file. The encrypted copy retains the original file name, with _CRYPT being added to the end of the file name. Example:

WaterLilles.jpg — original file

WaterLilles.jpg._CRYPT — encrypted file

The original file will then be deleted.

The virus drops a file called "!_READ_ME_!.txt" to every directory which contains encrypted files. The file contains the following text:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com

=== BEGIN ===
[key]
=== END ===

Files located in the Program Files directory will not be encrypted. Additionally, the virus will not encrypt the following files:

With "system" and "hidden" attributes;

Less than 10 bytes in size;

Larger than 734003200 bytes in size

Once the virus has delivered its payload, it creates a VBS file which deletes the main body of the virus from the victim machine, and causes the following MessageBox to be displayed:

The virus does not register itself in the system registry.


Removal instructions

If you think your computer has been infected, contact us at stopgpcode@kaspersky.com. Include details about the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

  • which programs you ran,
  • which websites you have visited, etc.

File Recovery

At the moment, it's not possible to decrypt files encrypted by Gpcode. However, you can use PhotoRec to recover your original files which were deleted by Gpcode after the virus created an encrypted version of the files.

The utility can be used to recover Microsoft Office documents, executable files, PDF and TXT documents, and also certain file archives. Here is a full list of supported file formats.

PhotoRec is part of the TestDisk package. The latest version of TestDisk, including PhotoRec, can be found here.

Below are detailed instructions on how to manually restore deleted files using PhotoRec:

  1. Use a different, clean computer to download TestDisk, which includes PhotoRec.
  2. Save PhotoRec to an external device, and connect this device to the infected machine (this does not pose any threat, as Gpcode.ak cannot spread independently and deletes itself after launching).
  3. Run PhotoRec (the file is called photorec_win.exe, and it is located in the win directory of the TestDisk package):
  4. Choose the target drive drive for PhotoRec to search for files, and press ENTER to continue:

    If you have several hard drives in your system, you should perfom this step for every hard drive (e.g. once you have recovered files from one drive, you should repeat the process for the next drive).

  5. Select the partition table type (typically 'Intel') and press ENTER to continue.
  6. Choose the partition you want to recover files from and press "Enter" to continue.

    If your disk has several partitions, you need to repeat this step for each one.

  7. Choose the type of file system (Windows users should choose 'Other') and press ENTER to continue.

  8. Choose where to search for deleted files and press ENTER to continue. Choose "Whole" to search the entire disk for deleted files.

  9. PhotoRec will then ask you to specify a destination directory for restored files. Use the PhotoRec file browser to move to the root directory (by choosing ".." and pressing ENTER).

    The root directory shows which disks your system has. Choose the appropriate removable (or network) drive, and the folder in which you want to save recovered files. It is very important to choose an external drive (i.e. don't choose a drive on your infected machine, because deleted files could be damaged).

    Before recovering files, please make sure you have created a separate directory on the drive (e.g. "recovered") and choose to save recovered files to this directory, in order to prevent errors arising later in the recovery process. Once you have chosen the directory, press "Y".

    Once you have pressed "Y", you will see the file restoration process in action. Please be aware that this process may take a considerable length of time.

    Wait for scanning to finish before moving to the next step.

  10. The recovered files are now on your chosen external drive. When you open the directory which contains the recovered files, you will notice that the file names do not correspond to the original names of the files on your hard disk.

    Your file names will look something like this:

    This is due to the way PhotoRec works, and you should not be alarmed. In addition, although the utility can restore the contents of files, it cannot establish their original location.

To complete the recovery process, we've created a free utility called StopGpcode that will sort and rename your restored files.

  • On another computer, download the Stopgpcode utility and copy it to a USB flash drive.
  • Put this flash drive into the infected computer and load the Windows Command Prompt by going to START | PROGRAMS | ACCESSORIES.
  • Select your USB flash drive by typing the drive letter e.g. W:
  • Then run the utility from the command line by typing the following:
    "STOPGPCODE -r -i -o
    e.g. STOPGPCODE -r W:\ RECOVERED -i С:\ -o W:\SORTED"

The utility will process the entire disk and compare the sizes of encrypted and recovered files. The program will use the file size as a basis for determining the original location and name of each recovered file.

The utility will try to determine the correct name and location for each file, recreating your original folders and file names within a folder called "sorted". If the utility cannot determine the original file name, the file will be saved to a folder called "conflicted".

You can download Stopgpcode here.

Decrypting files using StopGpcode2

Some of the files encrypted by Gpcode.ak can be decrypted without using the private RSA key. This is accomplished by using files where a non-encrypted version exists.

You need to take the following steps to decrypt files:

  1. Find all encrypted files which have the ._CRYPT extension from the victim machine and copy them onto a portable data device into a folder named encrypted.

  2. Follow the instructions above in ‘Restoring Files’ and save the restored files with the correct restored names onto the portable data device in a folder named ‘backup’.

  3. Match unencrypted copies of the files with the encrypted versions in the ‘encrypted’ folder. You can find unencrypted versions of your files in your backup. If you've lost photos, you might have a good copy left on the memory card of your camera. Potentially you may have good copies of your encrypted files on network resources. These are the files you should look for and copy to the folder named ‘backup’.

    Important! You MUST sure that the files that you save to the backup folder have identical names to the files in the ‘encrypted’ folder – everything should be identical for except the extension ._CRYPT .
  4. Create a folder named ‘decrypted’ where you will save the decrypted files. Download the free Stopgpcode2 tool from the Kaspersky website. This is used to decrypt your files.

  5. Launch StopGpcode2 from the command prompt (Start > Run > cmd.exe ) – be sure to include the full path to the folders ‘encrypted’, ‘backup’ and ‘decrypted’. For instance, if the tool and the folders are located in the root of drive e: - then you need to execute:

    e:\stopgpcode2.exe e:\encrypted e:\backup e:\decrypted

    Once the program executes, you will see the tool starting to decrypt your files.

  6. After the tool completes decrypting it will display a ‘Done’ message. Now you can open the ‘decrypted’ folder and check which files the tool was able to decrypt.

Important! The tool may not be able to decrypt all files completely. In this case it will partially restore files display a message saying ‘partly recovered’.
Also, please do not test the tool on a virtual machine. The results are likely to differ significantly from results on a regular machine.

Bookmark and Share
Share
Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.

The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.


Other versions

Aliases

Trojan-Ransom.Win32.Gpcode.ak (Kaspersky Lab) is also known as:

  • Virus.Win32.Gpcode.ak (Kaspersky Lab)
  • Trojan: Generic.dx!vbt (McAfee)
  • Troj/Gpcode-D (Sophos)
  • W32.GPC (ClamAV)
  • Trj/PGPCoder.E (Panda)
  • W32/Crypter.I (FPROT)
  • Trojan:Win32/Gpcode.G (MS(OneCare))
  • Trojan.Encoder.18 (DrWeb)
  • Trojan.Gpcode.I (BitDef7)
  • Trojan.GPCode.J (VirusBuster)
  • Win32:Gpcode-E (AVAST)
  • Virus.Win32.Gpcode (Ikarus)
  • Win32/Gpcode.E (AVG)
  • Trojan.Gpcoder.F (NAV)
  • W32/Suspicious_Gen2.EZGLS (Norman)
  • Trojan-Ransom.Win32.Gpcode.ak [AVP] (FSecure)
  • TROJ_GPCODE.AD (TrendMicro)
  • Trojan.GPCode.J (VirusBusterBeta)