Kaspersky Lab releases instructions on how to recover files attacked by the Gpcode.ak virus

16 Jun 2008
Virus News

Kaspersky Lab, a leading developer of secure content management systems, is now able to provide users with instruction on how to recover files attacked by the Gpcode.ak virus. As reported earlier, decrypting files encrypted by Gpcode.ak without the private key is not, as yet, possible. However, a method for recovering encrypted files has been identified.

The method makes use of the fact that before encrypting a file, Gpcode.ak creates a new file (which contains encrypted data from the original file) ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.

It is well-known that deleted files can be recovered if the data on the hard drive has not been significantly modified. This is why, from the start, Kaspersky Lab's advice to users whose computers were attacked by Gpcode.ak has been to contact the company’s virus experts without rebooting the infected computer. Users who have contacted us have been advised to use various file recovery utilities. Unfortunately, most such utilities are distributed under shareware licenses. Kaspersky Lab analysts have searched for the most effective and accessible of such utilities to help users recover the files deleted by Gpcode.ak. The free PhotoRec utility, developed by Christophe Grenier and distributed under a GPL license, turned out to be just such a solution.

Originally, the utility was developed for the recovery of graphics files (hence its name, PhotoRec, which is short for Photo Recovery). Later, its functionality was extended and it can now be used to recover Microsoft Office documents, executable files, PDF and TXT documents, as well as file archives in a variety of formats (view list of formats).

The PhotoRec utility is supplied with the latest version of the TestDisk package (ZIP file, 1.43 MB).

The PhotoRec utility performs the function of recovering files on a selected partition remarkably well. However, restoring the exact file names and paths remains a problem. To address this issue, Kaspersky Lab has developed a small free utility, StopGpcode (ZIP file, 71.2 KB), which restores original file names and the full paths of the files recovered.

Kaspersky Lab suggests that users who have suffered from the Gpcode.ak virus donate to the author of the PhotoRec utility rather than pay cybercriminals.

Detailed instructions on manually recovering files with the help of PhotoRec and StopGpcode utilities have been added to the Gpcode.ak description.

Update, 27 June 2008: Kaspersky Lab specialists find a new way to restore encrypted files.

Virus analysts at Kaspersky Lab have created the StopGpcode2 utility to restore files encrypted by the virus. The utility requires a pair of identical files, one of which has been encrypted by the virus and another that has not. The unencrypted file can be obtained using the PhotoRec utility (see above) or from backup copies, removable media or public sources. By using these file pairs, StopGpcode2 can decrypt other files affected by Gpcode.

Detailed instructions on manually recovering files with the help of various utilities have been added to the Virus.Win32.Gpcode.ak description.

About Kaspersky Lab

Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The Company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.viruslist.com.