Virus.Win32.Gpcode.ag
| Alert Level : | High |
| Discovered: | Jun 09 2006 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 64 512 bytes in size, packed using UPX. The unpacked file is approximately 147KB in size.
This malicious program was distributed throughout the Russian Internet using spammer technologies.
Once launched, the virus encrypts files with the following extensions:
12m 3ds 3dx 4ge 4gl a a86 abc acd ace act ada adi aex af3 afd ag4 ai aif aifc aiff ain aio ais akf alv amp ans ap apa apo app arc arh arj arx asc ask bb bcp bdb bh bib bsa btr bup bwb bz c c86 cac cat cbl cc cdb cdr cgi cmd cnt cob col cpp cpt crp cru csc css csv ctx cvs cwb cwk cxe cyp d db db0 db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbk dbm dbo dbq dbt dbx dic dif dm dmd doc dok dox dsc dwg dxf dxr eps exp f fas fax fdb fla flb fm fox frm frt frx fsl gtd gz gzip h ha hh hjt hog htm html htx ice icf ihtml ish jar jsp key kwm lst lwp lzh lzs lzw ma mak man maq mar mbx mdb mdf mmf mo myd old p12 pak pdf pem pfx pgp pl pm3 pm4 pm5 pm6 ppt prf prx ps pst pw pwa pwl pwm pwp pxl rar rle rmr rnd rtf safe sar sig sln swf tar tbb tex tga txt vp xcr xls xml zip
The virus partially uses the RSA 660 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.
The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:
Some files are coded by RSA method. To buy decoder mail: dfk***26@mail.ru with subject: REPLY
The email address may differ from variant to variant.
If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.
Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.
Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.
Removal instructions0
Removal Virus.Win32.Gpcode.ag instructions:
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
- If your files remain encrypted after scanning with Kaspersky Anti-Virus, please send a sample file to our Virus Lab (newvirus@kaspersky.com).
Need help? Live computer support via remote at SupportSpace |
