Virus.Win32.Gpcode.ae
| Alert Level : | High |
| Discovered: | Jun 02 2006 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This malicious program encrypts files on the victim machine. The virus itself is a Windows PE EXE file approximately 62KB in size, packed using UPX. The unpacked file is approximately 134KB in size.
This program was spammed throughout the Russian Internet.
Once launched, the virus will encrypt files which it finds on the victim machine which have the following extensions:
12m 3ds 3dx 4ge 4gl a a86 abc acd ace act ada adi aex af3 afd ag4 ai aif aifc aiff ain aio ais akf alv amp ans ap apa apo app arc arh arj arx asc ask bb bcp bdb bh bib bsa btr bup bwb bz c c86 cac cat cbl cc cdb cdr cgi cmd cnt cob col cpp cpt crp cru csc css csv ctx cvs cwb cwk cxe cyp d db db0 db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbk dbm dbo dbq dbt dbx dic dif dm dmd doc dok dox dsc dwg dxf dxr eps exp f fas fax fdb fla flb fm fox frm frt frx fsl gtd gz gzip h ha hh hjt hog htm html htx ice icf ihtml ish jar jsp key kwm lst lwp lzh lzs lzw ma mak man maq mar mbx mdb mdf mmf mo myd old p12 pak pdf pem pfx pgp pl pm3 pm4 pm5 pm6 ppt prf prx ps pst pw pwa pwl pwm pwp pxl rar rle rmr rnd rtf safe sar sig sln swf tar tbb tex tga txt vp xcr xls xml zip zoo
The virus partly uses the RSA 260-bit encryption algorithm to encrypt files.
Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files.
A file called 'readme.txt' is created in folders where encrypted files are located. The file contains the following text
Some files are coded by RSA method.To buy decoder mail: k6**89@mail.ru
with subject: REPLY
The email address shown may differ from modification to modification of this virus.
If contacted by the user, the author of the program will demand payment for decrypting the encrypted files.
Users are reminded that they should be extremely cautious when faced with attachments to suspicious messages. Additionally, users should not contact the authors of malicious programs, nor pay them money, as this will simply act as motivation to write new variants.
Once the virus has completed its encryption routine, it creates a file named TMP.BAT. This file contains code which will delete the source code of the malicious program from the victim machine.
Removal instructions0
Removal Virus.Win32.Gpcode.ae instructions:
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
- If the files remain encrypted after scanning, send an encrypted file to the Kaspersky Virus Lab (newvirus@kaspersky.com).
Need help? Live computer support via remote at SupportSpace |
