Kaspersky Lab detects new version of Gpcode

16 Jul 2007
Virus News

Kaspersky Lab, a leading developer of secure content management solutions, has detected the latest version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.

Virus.Win32.Gpcode.ai, which was detected last week, uses a complex encryption algorithm to encrypt user files and archives, making it impossible to open them. It also drops a file called "read_me.txt" onto the victim machine, which contains the following text:

Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: xxxxxxx@xxxxx.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

Glamorous team

In reality, this version of the blackmailing program uses a modified version of RC4, and not RSA-4096 as mentioned in the text. The claim that user files are sent to the malicious user is also false. Kaspersky Lab has always been successful in finding the decryption key for files encrypted by previous versions of Gpcode. Signatures for Virus.Win32.Gpcode.ai have been added to the Kaspersky Anti-Virus databases, and all users are recommended to update their databases. It should also be stressed that the Proactive Detection module in Kaspersky Anti-Virus 6.0 products provides protection against this malicious program without the need to update databases. PDM will detect Gpcode.ai as Trojan.generic and Invader, and block its activity. Kaspersky Lab analysts have also created a decryption routine for encrypted files which will be added to the antivirus databases in the very near future. If your files have been encrypted by Gpcode, Kaspersky Lab strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. Antivirus solutions are able to deal with the issue and restore encrypted data to its original form.

A full description of Virus.Win32.Gpcode.ai can be found on Viruslist.com at http://www.viruslist.com/en/viruses/encyclopedia?virusid=164339

About Kaspersky Lab

Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The Company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.viruslist.com.