Published: October 27 2009, 02:19 AM
by Zarestel Ferrer

                                 [Figure 1 – Image file used by the ransomware to replace the desktop wallpaper]

If your desktop wallpaper has been changed to the image above and your document files have been unusable, it’s more than likely that your system has been infected by ransomware.

                                     [Figure 2 – API call and parameters used to change desktop wallpaper]

This ransomware searches the infected system for document files with the following file extensions

• .zip
• .rar
• .pdf
• .rtf
• .txt
• .jpg
• .jpeg
• .waw
• .mp3
• .db
• .xls
• .docx
• .xlsx
• .doc
   

It then encrypts these files using the XOR instruction with a set of dword XOR keys; 0xC9936BCA, 0xDFBFC061, 0x46493347, 0x46AE8FCC.

                                                     [Figure 3 – Encryption routine]

Added files

It also creates a file CryptLogFile.txt in the Windows directory listing all the files it encrypted.

It also creates the file below

[Translation in English:  C:\Read me - how to decrypt files.txt]

This file contains the message below which is displayed to the user as soon as it is finished encrypting user files.

                                                [Figure 4 - Ransomware message]

CA detects this ransomware as Win32/Gpcode.J.

If you have been victimized by this ransomware, we provide a tool to decrypt the encrypted files. You can download the Win32/Gpcode.J decryptor here.

As usual, please keep your CA security products updated to help protect your system from this kind of malware.

Share this post:  Email

Share