Security Alert [GPCODE.ak]

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, - Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Their researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660.

At the time of writing, Kaspersky researchers are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and they have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor:«Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»In addition, after GPcode encrypts files, it also displays the message shown below:



In this case, Kaspersky researchers recommend that victims try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.

Complete Information:

Code:

http://www.viruslist.com/en/alerts?alertid=203996088

thats good bro.
my pc had more and everywhere win32 virus. thanks that informations bro. keep like this

kewl...

fantastic vinu bro


thanks for the information and its very helpful message

very nice vinay bhai ... thnks for sharing with us ... guess kaspersky is solid really .. kool.. gotta download it

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 8030, bytes in size.


Other versions: .ac, .ad, .ae, .af, .ag, .ai, .f

Detection added	Jun 04 2008 14:39 GMT
Description added	Jun 06 2008
Behavior	Virus
Platform	Win32

Once launched, the virus creates the following mutex in memory in order to flag its presence in the system: _G_P_C_.
The virus then starts consecutively scanning all logical disks for files to encrypt. The virus encrypts all user files with the extensions listed below:

The virus uses Microsoft Enhanced Cryptographic Provider v1.0 (built into Windows) to encrypt files. Files are encrypted using the RC4 algorithm. The encryption key is then encrypted using an RSA public key 1024 bits in length which is in the body of the virus.
The RSA encryption algorithm divides encryption keys into public and private. Only the public key is needed to encrypt messages. An encrypted message can be decrypted only using the private key.
The virus creates an encrypted copy of each original file. The encrypted copy retains the original file name, with _CRYPT being added to the end of the file name. Example:
WaterLilles.jpg — original file
WaterLilles.jpg._CRYPT — encrypted file
The original file will then be deleted.

Then as vinay said!!! The virus drops a file called "!_READ_ME_!.txt" to every directory which contains encrypted files. The file contains the following text:Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com


Note that Files located in the Program Files directory will not be encrypted. Additionally, the virus will not encrypt the following files:
With "system" and "hidden" attributes;
Less than 10 bytes in size;
Larger than 734003200 bytes in size
Once the virus has delivered its payload, it creates a VBS file which deletes the main body of the virus from the victim machine, and causes the following MessageBox to be displayed (as vinay showed) :

The virus does not register itself in the system registry.

Current removal technique that kaspersky provides..! is:

If you think your computer has been infected, contact us at stopgpcode@kaspersky.com. Include details of tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

<LI class=large>which programs you ran,

• which websites you have visited, etc.
  

Virus.Win32.Gpcode.ac

This file virus is a Windows PE EXE file, packed using UPX. The packed file is approximately 61KB in size, and the unpacked file is approximately 134KB in size.
The program was widely distributed throughout the Russian segment of the Internet using spammer technologies. so watch out when u search for cracks and keygens on website as most of the cracks & keygen website are hosted in Russia (russia doesn't have a copyright law)

Once launched, the virus encrypts files saved on the victim machine which have the following extensions:arh
arj
c
cdr
cgi
chm
cnt
cpp
css
csv
db
db1
db2
dbf
dbt
dbx
doc
flb
frm
frt
frx
gtd
gz
gzip
h
htm
html
key
kwm
lst
man
mdb
mmf
mo
old
p12
pak
pdf
pem
pfx
pgp
pl
prf
prx
pst
pwa
pwl
pwm
rar
rmr
rnd
rtf
safe
sar
sig
tar
tbb
txt
xls
xml
zip
The virus partly uses the RSA algorithm to encrypt files.
Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files. A file called 'readme.txt' appears in folders where encrypted files are located. The file contains the following text (although the email and the encryption key may differ):Some files are coded by RSA method.
To buy decoder mail: *****sh34@rambler.ru
with subject: RSA 5 ********728578411
When contacted by the user, the author of the program will demand payment for decrypting the encrypted files.

Users are reminded that they should be extremely cautious when faced with attachments to suspicious messages. Additionally, users should not contact the authors of malicious programs, nor pay them money, as this will simply act as motivation to write new variants.

Virus.Win32.Gpcode.ad

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 61 440 bytes in size, packed using UPX. The unpacked file is approximately 135KB in size.
Once launched, the virus encrypts files with the following extensions:3ds
3dx
acd
ace
ai
arc
arh
arj
c
cdr
cgi
chm
cnt
cpp
css
csv
db
db1
db2
dbf
dbt
dbx
dic
doc
dsc
dwg
dxf
eps
fax
fla
flb
frm
frt
frx
gtd
gz
gzip
h
ha
htm
html
jar
key
kwm
lst
lzh
ma
man
mar
mdb
mmf
mo
old
p12
pak
pdf
pem
pfx
pgp
pl
ppt
prf
prx
ps
pst
pwa
pwl
pwm
rar
rle
rmr
rnd
rtf
safe
sar
sig
sln
swf
tar
tbb
tex
tga
txt
xcr
xls
xml
zip
zoo
The virus partially uses the RSA 67 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.

The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:Some files are coded by RSA method. To buy decoder mail: w*****44@mail.ru with subject: RSA 5 ********507363108091

The email address used may differ from variant to variant.

If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.
Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.

Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.

Virus.Win32.Gpcode.ae

This malicious program encrypts files on the victim machine. The virus itself is a Windows PE EXE file approximately 62KB in size, packed using UPX. The unpacked file is approximately 134KB in size.
This program was spammed throughout the Russian Internet.
Once launched, the virus will encrypt files which it finds on the victim machine which have the following extensions:12m
3ds
3dx
4ge
4gl
a
a86
abc
acd
ace
act
ada
adi
aex
af3
afd
ag4
ai
aif
aifc
aiff
ain
aio
ais
akf
alv
amp
ans
ap
apa
apo
app
arc
arh
arj
arx
asc
ask
bb
bcp
bdb
bh
bib
bsa
btr
bup
bwb
bz
c
c86
cac
cat
cbl
cc
cdb
cdr
cgi
cmd
cnt
cob
col
cpp
cpt
crp
cru
csc
css
csv
ctx
cvs
cwb
cwk
cxe
cyp
d
db
db0
db1
db2
db3
db4
dba
dbb
dbc
dbd
dbe
dbf
dbk
dbm
dbo
dbq
dbt
dbx
dic
dif
dm
dmd
doc
dok
dox
dsc
dwg
dxf
dxr
eps
exp
f
fas
fax
fdb
fla
flb
fm
fox
frm
frt
frx
fsl
gtd
gz
gzip
h
ha
hh
hjt
hog
htm
html
htx
ice
icf
ihtml
ish
jar
jsp
key
kwm
lst
lwp
lzh
lzs
lzw
ma
mak
man
maq
mar
mbx
mdb
mdf
mmf
mo
myd
old
p12
pak
pdf
pem
pfx
pgp
pl
pm3
pm4
pm5
pm6
ppt
prf
prx
ps
pst
pw
pwa
pwl
pwm
pwp
pxl
rar
rle
rmr
rnd
rtf
safe
sar
sig
sln
swf
tar
tbb
tex
tga
txt
vp
xcr
xls
xml
zip
zoo
The virus partly uses the RSA 260-bit encryption algorithm to encrypt files.
Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files.

A file called 'readme.txt' is created in folders where encrypted files are located. The file contains the following text Some files are coded by RSA method.
To buy decoder mail: k6**89@mail.ru
with subject: REPLY


The email address shown may differ from modification to modification of this virus.
If contacted by the user, the author of the program will demand payment for decrypting the encrypted files.

Users are reminded that they should be extremely cautious when faced with attachments to suspicious messages. Additionally, users should not contact the authors of malicious programs, nor pay them money, as this will simply act as motivation to write new variants.

Once the virus has completed its encryption routine, it creates a file named TMP.BAT. This file contains code which will delete the source code of the malicious program from the victim machine.

Virus.Win32.Gpcode.af

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 64512 bytes in size, packed using UPX. The unpacked file is approximately 147KB in size.
This malicious program was distributed throughout the Russian Internet using spammer technologies.
Once launched, the virus encrypts files with the following extensions:12m
3ds
3dx
4ge
4gl
a
a86
abc
acd
ace
act
ada
adi
aex
af3
afd
ag4
ai
aif
aifc
aiff
ain
aio
ais
akf
alv
amp
ans
ap
apa
apo
app
arc
arh
arj
arx
asc
ask
bb
bcp
bdb
bh
bib
bsa
btr
bup
bwb
bz
c
c86
cac
cat
cbl
cc
cdb
cdr
cgi
cmd
cnt
cob
col
cpp
cpt
crp
cru
csc
css
csv
ctx
cvs
cwb
cwk
cxe
cyp
d
db
db0
db1
db2
db3
db4
dba
dbb
dbc
dbd
dbe
dbf
dbk
dbm
dbo
dbq
dbt
dbx
dic
dif
dm
dmd
doc
dok
dox
dsc
dwg
dxf
dxr
eps
exp
f
fas
fax
fdb
fla
flb
fm
fox
frm
frt
frx
fsl
gtd
gz
gzip
h
ha
hh
hjt
hog
htm
html
htx
ice
icf
ihtml
ish
jar
jsp
key
kwm
lst
lwp
lzh
lzs
lzw
ma
mak
man
maq
mar
mbx
mdb
mdf
mmf
mo
myd
old
p12
pak
pdf
pem
pfx
pgp
pl
pm3
pm4
pm5
pm6
ppt
prf
prx
ps
pst
pw
pwa
pwl
pwm
pwp
pxl
rar
rle
rmr
rnd
rtf
safe
sar
sig
sln
swf
tar
tbb
tex
tga
txt
vp
xcr
xls
xml
zip
zoo
The virus partially uses the RSA 330 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.

The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:Some files are coded by RSA method.
To buy decoder mail: k6**89@mail.ru
with subject: REPLY


The email address used may differ from variant to variant.
If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.

Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.

Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.

Virus.Win32.Gpcode.ag

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 64 512 bytes in size, packed using UPX. The unpacked file is approximately 147KB in size.
This malicious program was distributed throughout the Russian Internet using spammer technologies.
Once launched, the virus encrypts files with the following extensions:12m
3ds
3dx
4ge
4gl
a
a86
abc
acd
ace
act
ada
adi
aex
af3
afd
ag4
ai
aif
aifc
aiff
ain
aio
ais
akf
alv
amp
ans
ap
apa
apo
app
arc
arh
arj
arx
asc
ask
bb
bcp
bdb
bh
bib
bsa
btr
bup
bwb
bz
c
c86
cac
cat
cbl
cc
cdb
cdr
cgi
cmd
cnt
cob
col
cpp
cpt
crp
cru
csc
css
csv
ctx
cvs
cwb
cwk
cxe
cyp
d
db
db0
db1
db2
db3
db4
dba
dbb
dbc
dbd
dbe
dbf
dbk
dbm
dbo
dbq
dbt
dbx
dic
dif
dm
dmd
doc
dok
dox
dsc
dwg
dxf
dxr
eps
exp
f
fas
fax
fdb
fla
flb
fm
fox
frm
frt
frx
fsl
gtd
gz
gzip
h
ha
hh
hjt
hog
htm
html
htx
ice
icf
ihtml
ish
jar
jsp
key
kwm
lst
lwp
lzh
lzs
lzw
ma
mak
man
maq
mar
mbx
mdb
mdf
mmf
mo
myd
old
p12
pak
pdf
pem
pfx
pgp
pl
pm3
pm4
pm5
pm6
ppt
prf
prx
ps
pst
pw
pwa
pwl
pwm
pwp
pxl
rar
rle
rmr
rnd
rtf
safe
sar
sig
sln
swf
tar
tbb
tex
tga
txt
vp
xcr
xls
xml
zip
The virus partially uses the RSA 660 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.

The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:Some files are coded by RSA method.
To buy decoder mail: dfk***26@mail.ru
with subject: REPLY
The email address may differ from variant to variant.
If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.

Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.

Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.

Virus.Win32.Gpcode.ai

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file. It is packed using UPX. The unpacked file is 58,368 bytes in size.
The executable file of known variants of this virus are called "ntos.exe".

Once launched, the virus creates a unique encryption key, and saves it to the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"WinCode" = ""
The malicious program also adds itself to the system registry:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe, %System%\ntos.exe"

This key value will be periodically checked by system processes that have had malicious code injected into them (e.g. "Winlogon.exe". If the key value is changed (i.e. if "%System%\ntos.exe" is deleted" then it will be automatically restored from the system process.
"%System%\ntos.exe" is protected from modification, renaming, and copying.
If the current system date is between 10th and 15th July 2007, the virus will encrypt all user files with the following extensions:.12m
.3ds
.3dx
.4ge
.4gl
.7z
.a
.a86
.abc
.acd
.ace
.act
.ada
.adi
.aex
.af3
.afd
.ag4
.ai
.aif
.aifc
.aiff
.ain
.aio
.ais
.akf
.alv
.amp
.ans
.ap
.apa
.apo
.app
.arc
.arh
.arj
.arx
.asc
.asm
.ask
.au
.bak
.bas
.bb
.bcb
.bcp
.bdb
.bh
.bib
.bpr
.bsa
.btr
.bup
.bwb
.bz
.bz2
.c
.c86
.cac
.cbl
.cc
.cdb
.cdr
.cgi
.cmd
.cnt
.cob
.col
.cpp
.cpt
.crp
.cru
.csc
.css
.csv
.ctx
.cvs
.cwb
.cwk
.cxe
.cxx
.cyp
.d
.db
.db0
.db1
.db2
.db3
.db4
.dba
.dbb
.dbc
.dbd
.dbe
.dbf
.dbk
.dbm
.dbo
.dbq
.dbt
.dbx
.dfm
.djvu
.dic
.dif
.dm
.dmd
.doc
.dok
.dot
.dox
.dsc
.dwg
.dxf
.dxr
.eps
.exp
.f
.fas
.fax
.fdb
.fla
.flb
.frm
.fm
.fox
.frm
.frt
.frx
.fsl
.gtd
.gif
.gz
.gzip
.h
.ha
.hh
.hjt
.hog
.hpp
.htm
.html
.htx
.ice
.icf
.inc
.ish
.iso
.jar
.jad
.java
.jpg
.jpeg
.js
.jsp
.key
.kwm
.lst
.lwp
.lzh
.lzs
.lzw
.ma
.mak
.man
.maq
.mar
.mbx
.mdb
.mdf
.mid
.mo
.myd
.obj
.old
.p12
.pak
.pas
.pdf
.pem
.pfx
.php
.php3
.php4
.pgp
.pkr
.pl
.pm3
.pm4
.pm5
.pm6
.png
.ppt
.pps
.prf
.prx
.ps
.psd
.pst
.pw
.pwa
.pwl
.pwm
.pwp
.pxl
.py
.rar
.res
.rle
.rmr
.rnd
.rtf
.safe
.sar
.skr
.sln
.swf
.sql
.tar
.tbb
.tex
.tga
.tgz
.tif
.tiff
.txt
.vb
.vp
.wps
.xcr
.xls
.xml
.zip
The virus drops a file called "read_me.txt" to every directory which contains encrypted files. The file contains the following text:
Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: xxxxx@xxxx.com and provide us your personal code -XXXXX. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.

If you will not contact us in 3 months your private information will be shared and you will lost all your data.




The virus also creates a hidden folder called "wsnpoem" in the Windows system directory, which contains two empty files: "video.dll" and "audio.dll".

REMOVAL INSTRUCTIONS ( only for Virus.Win32.Gpcode.ai)

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

<LI class=large>Modify the system registry key value by adding any symbol to the end of the name of the malicious module: Example: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe, %System%\ntos.exe_"

<LI class=large>Reboot the computer.
<LI class=large>Manually delete the files listed below from the Windows system directory: ntos.exe

1. If the malicious program has encrypted files on your machine, you can use Kaspersky Lab's free utility to decrypt them. Instructions and the utility itself can be found on the KL technical support site. Make sure you read the instructions carefully. Entering the wrong key could cause files to be irrevocably damaged.</FONT>
   

ohhh god dats a huge list .... am worrried for my laptop now ...
is norton gud enough to detect all this crappy virus ?!

*.. i added extended info to vinay's info so that forum users may know about the history and variants of the virus.win32.gpcode

@ luv.inspecta ... bro for anti-virus(es) it is not a easy task to decrypt files... just like vinay said... that even kaspersky team is not able to decrypt the 1024 bit encryption completely YET!...

lemme give u the encryption n decryptional info...! of RSA 1024 bit

RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way:

1. Choose two distinct large random prime numbers p and q
   
2. Compute
   
   
   
   • is used as the modulus for both the public and private keys
     

</LI>

<LI>Compute the totient: .
<LI>Choose an integer e such that , and and share no factors other than 1 (i.e. e and are coprime)

• e is released as the public key exponent
  

<LI>Compute d to satisfy the congruence relation ; i.e. for some integer k.

• d is kept as the private key exponent
  

Notes on the above steps:

• Step 1: Numbers can be probabilistically tested for primality.
  

• Step 3: changed in PKCS#1 v2.0 to , where lcm is the least common multiple, instead of .
  

• Step 4: A popular choice for the public exponents is = 2¹⁶ + 1 = 65537. Some applications choose smaller values such as = 3, 5, 17 or 257 instead. This is done to make encryption and signature verification faster on small devices like smart cards but small public exponents can lead to greater security risks.
  

• Steps 4 and 5 can be performed with the extended Euclidean algorithm; see modular arithmetic.
  

The public key consists of the modulus and the public (or encryption) exponent .
The private key consists of the modulus and the private (or decryption) exponent which must be kept secret.

• For efficiency a different form of the private key can be stored:
  
  
  
  • and : the primes from the key generation,
    
  • and ,
    
  • .
    
  
  </LI>
  

• All parts of the private key must be kept secret in this form. and are sensitive since they are the factors of , and allow computation of given . If and are not stored in this form of the private key then they are securely deleted along with other intermediate values from key generation.
  

• Although this form allows faster decryption and signing by using the Chinese Remainder Theorem, it is considerably less secure since it enables sidechannel attacks. This is a particular problem if implemented on smart cards, which benefit most from the improved efficiency. (Start with y = x^emodn and let the card decrypt that. So it computes y^d(mod p) or y^d(mod q) whose results give some value z. Now, induce an error in one of the computations. Then gcd(z − x,n) will reveal p or q.)
  

Encryption


*Alice transmits her public key to *Bob and keeps the private key secret. Bob then wishes to send message M to Alice.
He first turns M into a number < by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertext corresponding to:


This can be done quickly using the method of exponentiation by squaring. Bob then transmits to Alice.

Decryption


Alice can recover from by using her private key exponent by the following computation:


Given , she can recover the original message M.
The above decryption procedure works because first

.
Now, , and hence

and

which can also be written as

and

for proper values of and . If is not a multiple of then and are coprime because is prime; so by Fermat's little theorem


and therefore, using the first expression for ,

.
If instead is a multiple of , then

.
Using the second expression for , we similarly conclude that

.
Since and are distinct prime numbers, they are relatively prime to each other, so the fact that both primes divide m^ed − m implies their product divides m^ed − m, which means

.
Thus,

.
*names as an example