Content
GPCoder.i
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 06/09/2008
- Length
- 8029 bytes
- Minimum DAT
- 5313 (06/09/2008)
- Updated DAT
- 5313 (06/09/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 06/09/2008
- Description Modified
- 06/09/2008 7:59 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update June 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/security/?p=1251
--
GPCoder.i is a Trojan which encrypts files on the victims pc and drops a ransom note with the contact details of the author. The victim is requested to pay a specified amount in order to obtain a decryptor tool to recover the encrypted files.
When run this trojan searches for files of the following extensions to encrypt:
* 7z
* abk
* abd
* acad
* arh
* arj
* ace
* arx
* asm
* bz
* bz2
* bak
* bcb
* c
* cc
* cdb
* cdw
* cdr
* cer
* cgi
* chm
* cnt
* cpp
* css
* csv
* db
* db1
* db2
* db3
* db4
* dba
* dbb
* dbc
* dbd
* dbe
* dbf
* dbt
* dbm
* dbo
* dbq
* dbt
* dbx
* djvu
* doc
* dok
* dpr
* dwg
* dxf
* ebd
* eml
* eni
* ert
* fax
* flb
* frm
* frt
* frx
* frg
* gtd
* gz
* gzip
* gfd
* gfa
* gfr
* h
* inc
* igs
* iges
* jar
* jad
* java
* jpg
* jpeg
* jpe
* jfif
* js
* jsp
* hpp
* htm
* html
* key
* kwm
* ldif
* lst
* lsp
* lzh
* lzw
* ldr
* man
* mdb
* mht
* mmf
* mns
* mnb
* mnu
* mo
* msb
* msg
* mxl
* old
* p12
* pak
* pas
* pdf
* pem
* pfx
* php
* php3
* php4
* pgp
* pl
* prf
* prx
* pst
* pw
* pwa
* pwl
* pwm
* pm3
* pm4
* pm5
* pm6
* rar
* rmr
* rnd
* rtf
* safe
* sar
* sig
* sql
* tar
* tbb
* tbk
* tdf
* tgz
* tbb
* txt
* uue
* vb
* vcf
* wab
* xls
* xml
Files matching the above mentioned extensions are encrypted and a text file named !_READ_ME_!.txt is placed in the directory containing the following text:
Some files are coded.
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: d {removed} @yahoo.com
Symptoms
- File overwritten with "garbage" (encrypted data).
- Presence of aforementioned !_READ_ME_!.txt files.
- Display a message box with the following title.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update June 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/security/?p=1251
--
GPCoder.i is a Trojan which encrypts files on the victims pc and drops a ransom note with the contact details of the author. The victim is requested to pay a specified amount in order to obtain a decryptor tool to recover the encrypted files.
Aliases
- Troj/Gpcode-D (Sophos)
- Trojan.Gpcoder.F (Symantec)
- Trojan:Win32/Gpcode.G (Microsoft)
- Virus.Win32.Gpcode.ak (Kaspersky)
Characteristics
Characteristics -
-- Update June 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/security/?p=1251
--
GPCoder.i is a Trojan which encrypts files on the victims pc and drops a ransom note with the contact details of the author. The victim is requested to pay a specified amount in order to obtain a decryptor tool to recover the encrypted files.
When run this trojan searches for files of the following extensions to encrypt:
* 7z
* abk
* abd
* acad
* arh
* arj
* ace
* arx
* asm
* bz
* bz2
* bak
* bcb
* c
* cc
* cdb
* cdw
* cdr
* cer
* cgi
* chm
* cnt
* cpp
* css
* csv
* db
* db1
* db2
* db3
* db4
* dba
* dbb
* dbc
* dbd
* dbe
* dbf
* dbt
* dbm
* dbo
* dbq
* dbt
* dbx
* djvu
* doc
* dok
* dpr
* dwg
* dxf
* ebd
* eml
* eni
* ert
* fax
* flb
* frm
* frt
* frx
* frg
* gtd
* gz
* gzip
* gfd
* gfa
* gfr
* h
* inc
* igs
* iges
* jar
* jad
* java
* jpg
* jpeg
* jpe
* jfif
* js
* jsp
* hpp
* htm
* html
* key
* kwm
* ldif
* lst
* lsp
* lzh
* lzw
* ldr
* man
* mdb
* mht
* mmf
* mns
* mnb
* mnu
* mo
* msb
* msg
* mxl
* old
* p12
* pak
* pas
* pdf
* pem
* pfx
* php
* php3
* php4
* pgp
* pl
* prf
* prx
* pst
* pw
* pwa
* pwl
* pwm
* pm3
* pm4
* pm5
* pm6
* rar
* rmr
* rnd
* rtf
* safe
* sar
* sig
* sql
* tar
* tbb
* tbk
* tdf
* tgz
* tbb
* txt
* uue
* vb
* vcf
* wab
* xls
* xml
Files matching the above mentioned extensions are encrypted and a text file named !_READ_ME_!.txt is placed in the directory containing the following text:
Some files are coded.
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: d {removed} @yahoo.com
Symptoms
Symptoms -
- File overwritten with "garbage" (encrypted data).
- Presence of aforementioned !_READ_ME_!.txt files.
- Display a message box with the following title.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
