Home » News » Security » New Version of Gpcode Detected by Kaspersky Lab
Kaspersky Lab has detected the latest version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.
Virus.Win32.Gpcode.ai, which was detected last week, uses a complex encryption algorithm to encrypt user files and archives, making it impossible to open them. It also drops a file called "read_me.txt" to the victim machine, which contains the following text:
Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: firstname.lastname@example.org and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.
If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
In actual fact, this version of the blackmailing program uses modified version of RC4, and not RSA-4096 as mentioned in the text. The claim
that user files are sent to the malicious user is also false.
Kaspersky Lab has always been successful in finding the decryption key for files encrypted by previous versions of Gpcode. Signatures for
Virus.Win32.Gpcode.ai have been added to the Kaspersky Anti-Virus databases, and all users are recommended to update their databases. It should also be stressed that the Proactive Detection module in Kaspersky Anti-Virus 6.0 products provides protection against this malicious program without the need to update databases. PDM will detect Gpcode.ai as Trojan.generic and Invader, and block its activity.
Kaspersky Lab analysts have also created a decryption routine for encrypted files which will be added to the antivirus databases in the very near future.
If your files have been encrypted by Gpcode, Kaspersky Lab strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. Antivirus solutions are able to deal with the issue and restore encrypted data to its original form.