Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.
Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.
I've got one system here with this infection that I posted about on the Spyware forums with no luck/replies so far. Interestingly, though, my infection doesn't open a Notepad file, it appears to have overwritten the boot sector of the hard drive, but appears to have come out at the same time as this one. I don't know if it's a variant or something that hasn't been found in the labs yet. If you're interested, there's a thread on the "Am I Infected" forum.
Edited by Zeromus-X, 30 November 2010 - 10:22 AM.