Abstract
Yes viruses are spread around the world every day. There is nothing new to this. But the GPCODE virus that now has been reported in the wild is different. It encrypts files on your harddisk and permanently deletes the old files. In the end you would need to contact the virus author to be the decryption key to gain to your files access.
You think we are kidding? Nop. We’re not. Kaspersky – one of the leading companies in the Anti-Virus business filed an appeal to all cryptographers around the world to fight the encryption of this virus. The worst thing is: the virus authors use an RSA 1024bit key to encrypt your data. RSA 1024 bit is still quite secure these days (see Wikipedia for cracked RSA’s here). There have been successful attempts to brute force factors only for RSA 640bits. Kaspersky estimates we need 15million computers in distributed computing to hack that key… erm… yes 15million…
What you can do
Positive news is that this virus seems to appear infrequently. We have not yet found a copy of that virus on our own researches in the underground networks. This means currently the threat probability is medium. Anyway staying clean is not too complicated:
- have a premium anti-virus scanner installed (see our sponsors)
- update your virus signatures frequently (means once per day is minimum)
- backup your data frequently on external devices
If you are attacked by that virus and already have it on your system, you will see a messagebox saying:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [removed]@yahoo.com
=== BEGIN ===
[key removed]
=== END ===
there is not too much you can do currently. Kaspersky recommends not turning of or rebooting the computer. Instead contact Kaspersky under stopgpcode@kaspersky.com using a second computer. Please provide detailed information how you obtained this virus (means: which torrent site etc.).
Infected file formats
These are the suffixes (extensions) of files that will be affected by GPCODE:
| 7z |
abk |
abd |
acad |
| arh |
arj |
ace |
arx |
| asm |
bz |
bz2 |
bak |
| bcb |
c |
cc |
cdb |
| cdw |
cdr |
cer |
cgi |
| chm |
cnt |
cpp |
css |
| csv |
db |
db1 |
db2 |
| db3 |
db4 |
dba |
dbb |
| dbc |
dbd |
dbe |
dbf |
| dbt |
dbm |
dbo |
dbq |
| dbt |
dbx |
Djvu |
doc |
| dok |
dpr |
dwg |
dxf |
| ebd |
eml |
eni |
ert |
| fax |
flb |
frm |
frt |
| frx |
frg |
gtd |
gz |
| gzip |
gfa |
gfr |
gfd |
| h |
inc |
igs |
iges |
| jar |
jad |
Java |
jpg |
| jpeg |
Jfif |
jpe |
js |
| jsp |
hpp |
htm |
html |
| key |
kwm |
Ldif |
lst |
| lsp |
lzh |
lzw |
ldr |
| man |
mdb |
mht |
mmf |
| mns |
mnb |
mnu |
mo |
| msb |
msg |
mxl |
old |
| p12 |
pak |
pas |
pdf |
| pem |
pfx |
php |
php3 |
| php4 |
pl |
prf |
pgp |
| prx |
pst |
pw |
pwa |
| pwl |
pwm |
pm3 |
pm4 |
| pm5 |
pm6 |
rar |
rmr |
| rnd |
rtf |
Safe |
sar |
| sig |
sql |
tar |
tbb |
| tbk |
tdf |
tgz |
tbb |
| txt |
uue |
vb |
vcf |
| wab |
xls |
xml |
|
