Kaspersky Lab has detected the latest version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.

Virus.Win32.Gpcode.ai, which was detected last week, uses a complex encryption algorithm to encrypt user files and archives, making it impossible to open them. It will then drop a file titled “read_me.txt” to the victim’s machine, which contains the following text:

Hello, your files are encrypted with RSA-4096 algorithm(http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: xxxxxxx@xxxxx.com and provide us your personal code – xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

Glamorous team

The virus also creates a hidden folder called “wsnpoem” in the Windows system directory, which contains two empty files: “video.dll” and “audio.dll”. In order to remove this malicious virus, users must:

1. Modify the system registry key value by adding any symbol to the end of the name of the malicious module.

For example: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon] “UserInit” = “%System%userinit.exe, %System%ntos.exe_”

2. Reboot the computer.
3. Manually delete the files listed below from the Windows system directory: ntos.exe
4. If the malicious program has encrypted files on your machine, you can use Kaspersky Lab’s free utility to decrypt them.
5. And finally, update your antivirus databases and perform a full scan of the computer.

If your files have been encrypted by Gpcode, Kaspersky Lab strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. Antivirus solutions are able to deal with the issue and restore encrypted data to its original form.

Visit the Viruslist website to get a full description of the Gpcode Virus.

2231 NEXUS 4SQM Digital Banner Ads Leaderboard 728x90 Gpcode Virus Returns
Nextbase Hero 728x90px 2 1 Gpcode Virus Returns
LG HE FN Series Banners 4SQM LB 728x90 Gpcode Virus Returns
LB 728x90 Gpcode Virus Returns
Frame 728x90 Gpcode Virus Returns
Incase LeaderBoard 728x90 Gpcode Virus Returns
BW Trade In 728x90 1 Gpcode Virus Returns
ARL0332 Arlo Ultra 2 Banner 2 728x90 FA scaled Gpcode Virus Returns
HAR0468 PBOXGO 728x90 Gpcode Virus Returns
Wave 728x90px Gpcode Virus Returns