Ransomware GPcode

Original issue date: June 25, 2008

It has been observed that a virus named Ransomware GPcode
is circulating in the wild. It scans the infected system for files of different extensions and encrypts those files which have size between 10 bytes to 734003200 bytes using RC4 algorithm. The virus encrypts data using RSA public key which is 1024 bits in length and is present within the body of the virus. Subsequently a message demanding money for buying decryptor is displayed.

Further, the virus creates an encrypted copy of each original file that it finds suitable for infection. These encrypted copies have the original file name, with _CRYPT being added to the end of the encrypted file name. It then deletes the original file from the infected system.

• The virus drops a text file named "!_READ_ME_!.txt" in every directory which contains the encrypted files. This text file contains the following message:
  
  Your files are encrypted with RSA-1024 algorithm.
  To recovery your files you need to buy our decryptor.
  To buy decrypting tool contact us at: [censored]@yahoo.com
  === BEGIN ===
  [key]
  === END ===
• After performing the above activities the Virus creates a VBS file which deletes the main body of the Virus from the infected system and causes the following message to be displayed:

Aliases: Virus.Win32.Gpcode.ak[Kaspersky],Virus.Win32. Gpcode.ac, Virus.Win32.Gpcode.ad, Virus.Win32.Gpcode.b, Virus.Win32. Gpcode.e,Virus.Win32. Gpcode.ai, Virus. Win32. Gpcode.ae, Virus.Win32.Gpcode.af,Virus.Win32.Gpcode.ag, Virus.Win32.Gpcode.f, GPcoder.e, GPcoder.h, Troj_pgpcoder.a, Trojan.Gpcoder.B, Trojan.Gpcoder. C,Trojan.Gpcoder.D,Trojan . Gpcoder.E, Win32/Spy.Agent.PZ, w32/gopper.a , TSP Y_KOLLAH.F, Backdoor:Win32/Kollah.D

Upon execution, the Virus:

• Creates the following mutex in memory in order to flag its presence in the system: _G_P_C_.
• Scans all logical disks on the infected system to search files with the extensions listed below:
  7z,abk, abd, acad, arh, arj, ace, arx,asm, bz, bz2, bak,bcb, c, cc, cdb, cdw cdr cer cgi,chm, cnt, cpp, css,csv, db, db1, db2, db3, db4, dba, dbb, dbc, dbd, dbe, dbf, dbt, dbm, dbo, dbq, dbx, Djvu, doc, dok, dpr, dwg, dxf, ebd, eml, eni, ert, fax, flb, frm, frt, frx,frg, gtd, gz, gzip, gfa, gfr, gfd, h, inc, igs, iges, jar, jad, Java, jpg, jpeg, Jfif, jpe, js, jsp, hpp , htm, html, key, kwm, Ldif, lst, lsp, lzh, lzw, ldr, man, mdb, mht, mmf, ns , mnb, mnu, mo, msb, msg, mxl, old, p12, pak, pas, pdf, pem, pfx, php, php3, php4, pl, prf, pgp, prx, pst, pw, pwa, pwl, pwm, pm3, pm4, pm5, pm6, rar, rmr, rnd, rtf, Safe, sar, sig, sql, tar, tbb, tbk, tdf, tgz, txt, uue, vb, vcf, wab, xls , xml

In view of rapid propagation of the Ransomware GPcode , users are advised to implement the following countermeasures:

• Install and maintain an updated anti-virus software at gateway and desktop level.
• Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
• Installs a personal firewall at Desktop level .
• Examine caution while opening email attachments.
• In case data is encrypted by this virus the utility called PhotoRec can be used. For details refer to:
  http://www.viruslist.com/en/viruses/encyclopedia?virusid=
  313444#doc1

 References

SANS
http://isc.sans.org/diary.html?storyid=4544

F-Secure
http://www.f-secure.com/v-descs/gpcode.shtml

Kaspersky Lab
http://usa.kaspersky.com/about-us/news-press-releases.php?
smnr_id=900000131

Viruslist
http://www.viruslist.com/en/viruses/encyclopedia?
virusid=313444#doc1

Sophos
http://www.sophos.com/search/search-results/?
search=GPCode

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FGPCODE%2EAD

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003