Published: June 09 2008, 04:35 PM
by Rossano Ferraris

The problem is not a new one; however, the research community has found a new variant of the fearful GPCODE
malware. To be precise, we call it "ransomware" (http://en.wikipedia.org/wiki/Ransomware_%28malware%29).

The new GPCODE variant uses 1024-bit encryption to lock down all data on an infected hard drive, and to date,
it is surely the worst one.

This is what I obtained when I ran the malware in my laboratory:

This popup displays a message that says your files are encrypted with a 1024 bit-key, and what I observed is
that every document file (.txt, .doc, .pdf) is encrypted as shown in the image below.  My pdf document for the
linksys AG241 router setting is not readable anymore.

The extension added to your document files is ._CRYPT.

According to the message, you need to buy a decryptor tool to decrypt all your documents, and the yahoo
email address through which you buy the tool is random so you cannot take action against the owner of the
email address.

Recommendations:

• Since CA Anti-Spyware detects the GPCODE ransomware variant (http://www.ca.com/securityadvisor/pest/pest.aspx?id=453098767), the safest approach is to keep
  your anti-spyware software up-to-date in order to block the malware from running and infecting your machine
• If you realize you have launched something similar to what has been described above, do NOT reboot
  your machine because our lab tests show that the ransomware does not affect the machine until it is rebooted
  

Share this post:  Email

Share