Tag Archives: GPCode

[Virus] Virus.Win32.Gpcode.ak reported in the wild

Abstract

Yes viruses are spread around the world every day. There is nothing new to this. But the GPCODE virus that now has been reported in the wild is different. It encrypts files on your harddisk and permanently deletes the old files. In the end you would need to contact the virus author to be the decryption key to gain to your files access.

You think we are kidding? Nop. We’re not. Kaspersky – one of the leading companies in the Anti-Virus business filed an appeal to all cryptographers around the world to fight the encryption of this virus. The worst thing is: the virus authors use an RSA 1024bit key to encrypt your data. RSA 1024 bit is still quite secure these days (see Wikipedia for cracked RSA’s here). There have been successful attempts to brute force factors only for RSA 640bits. Kaspersky estimates we need 15million computers in distributed computing to hack that key… erm… yes 15million…

What you can do

Positive news is that this virus seems to appear infrequently. We have not yet found a copy of that virus on our own researches in the underground networks. This means currently the threat probability is medium. Anyway staying clean is not too complicated:

  • have a premium anti-virus scanner installed (see our sponsors)
  • update your virus signatures frequently (means once per day is minimum)
  • backup your data frequently on external devices



Kaspersky


If you are attacked by that virus and already have it on your system, you will see a messagebox saying:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [removed]@yahoo.com

=== BEGIN ===
[key removed]
=== END ===

there is not too much you can do currently. Kaspersky recommends not turning of or rebooting the computer. Instead contact Kaspersky under stopgpcode@kaspersky.com using a second computer. Please provide detailed information how you obtained this virus (means: which torrent site etc.).

Infected file formats

These are the suffixes (extensions) of files that will be affected by GPCODE:

7z abk abd acad
arh arj ace arx
asm bz bz2 bak
bcb c cc cdb
cdw cdr cer cgi
chm cnt cpp css
csv db db1 db2
db3 db4 dba dbb
dbc dbd dbe dbf
dbt dbm dbo dbq
dbt dbx Djvu doc
dok dpr dwg dxf
ebd eml eni ert
fax flb frm frt
frx frg gtd gz
gzip gfa gfr gfd
h inc igs iges
jar jad Java jpg
jpeg Jfif jpe js
jsp hpp htm html
key kwm Ldif lst
lsp lzh lzw ldr
man mdb mht mmf
mns mnb mnu mo
msb msg mxl old
p12 pak pas pdf
pem pfx php php3
php4 pl prf pgp
prx pst pw pwa
pwl pwm pm3 pm4
pm5 pm6 rar rmr
rnd rtf Safe sar
sig sql tar tbb
tbk tdf tgz tbb
txt uue vb vcf
wab xls xml