Kaspersky Lab has detected the latest version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.
Hello, your files are encrypted with RSA-4096 algorithm(http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: firstname.lastname@example.org and provide us your personal code – xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
The virus also creates a hidden folder called “wsnpoem” in the Windows system directory, which contains two empty files: “video.dll” and “audio.dll”. In order to remove this malicious virus, users must:
1. Modify the system registry key value by adding any symbol to the end of the name of the malicious module.
For example: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon] “UserInit” = “%System%userinit.exe, %System%ntos.exe_”
2. Reboot the computer.
3. Manually delete the files listed below from the Windows system directory: ntos.exe
4. If the malicious program has encrypted files on your machine, you can use Kaspersky Lab’s free utility to decrypt them.
5. And finally, update your antivirus databases and perform a full scan of the computer.
If your files have been encrypted by Gpcode, Kaspersky Lab strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. Antivirus solutions are able to deal with the issue and restore encrypted data to its original form.
Visit the Viruslist website to get a full description of the Gpcode Virus.