KASPERSKY ESCALATES WARNING TO SEVERE RISK
Kaspersky Lab has received reports of yet another variant of GpCode, the cyberblackmail virus- Virus.Win32.GpCode.af. This new variant is currently spreading on the Russian Internet. It encrypts user files; the author then demands money for decrypting the files.
This latest variant differs from the one that appeared last Thursday in that it uses a more secure encryption algorithm - RSA 330 bit rather than the RSA 260 bit key the previous variant used.
Kaspersky Lab strongly recommends that anyone who has had files encrypted should contact the Virus Lab. Under no circumstances should users give in to blackmail, as this will encourage the authors of this program to create new versions.
TECHNICAL DETAILS of AE version (RSA 260 bit version)
This malicious program encrypts files on the victim machine. The virus itself is a Windows PE EXE file approximately 62KB in size, packed using UPX. The unpacked file is approximately 134KB in size. This program was spammed throughout the Russian Internet. Once launched, the virus will encrypt files which it finds on the victim machine.
Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files. A file called 'readme.txt' is created in folders where encrypted files are located. The file contains the following text
Some files are coded by RSA method.
To buy decoder mail: ***** @ mail . ru
with subject: REPLY
The email address shown may differ from modification to modification of this virus. If contacted by the user, the author of the program will demand payment for decrypting the encrypted files.
KASPERSKY WEBLOG ENTRIES
In comparison to the previous variant, GpCode.ae, which we detected last week, this new variant uses a stronger encryption algorithm (RSA 330 bit); this makes it more difficult for our virus analysts to develop decryption. However, we've been successful, and we added detection and decryption for infected files to our antivirus databases.
Users who have been infected by GpCode.af should download the latest antivirus databases and fully scan their computers.
One point that we want to stress: at the moment, we're still not 100% sure how this virus penetrates victim computers. You should exert maximum caution: don't launch files that you receive via email, and ensure that your operating system and browser is fully patched.
Finally, back up your data on a regular basis. Then if the worst ever does happen - and we hope it won't - you'll still have a copy of whatever you were working on.