Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Gpcode.af - Encrypts Pc Files And Holds User Hostage

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:45 PM

Posted 06 June 2006 - 12:21 PM

GpCode.af is a brand new virus variant that uses RSA 330 bit encryption to hold user hostage. As Kaspersky recommends infected users should not send email or payments to these malicious individuals to decrypt files.


Kaspersky Lab has received reports of yet another variant of GpCode, the cyberblackmail virus- Virus.Win32.GpCode.af. This new variant is currently spreading on the Russian Internet. It encrypts user files; the author then demands money for decrypting the files.

This latest variant differs from the one that appeared last Thursday in that it uses a more secure encryption algorithm - RSA 330 bit rather than the RSA 260 bit key the previous variant used.

Kaspersky Lab strongly recommends that anyone who has had files encrypted should contact the Virus Lab. Under no circumstances should users give in to blackmail, as this will encourage the authors of this program to create new versions.

TECHNICAL DETAILS of AE version (RSA 260 bit version)

This malicious program encrypts files on the victim machine. The virus itself is a Windows PE EXE file approximately 62KB in size, packed using UPX. The unpacked file is approximately 134KB in size. This program was spammed throughout the Russian Internet. Once launched, the virus will encrypt files which it finds on the victim machine.

Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files. A file called 'readme.txt' is created in folders where encrypted files are located. The file contains the following text

Some files are coded by RSA method.
To buy decoder mail: ***** @ mail . ru
with subject: REPLY

The email address shown may differ from modification to modification of this virus. If contacted by the user, the author of the program will demand payment for decrypting the encrypted files.


In comparison to the previous variant, GpCode.ae, which we detected last week, this new variant uses a stronger encryption algorithm (RSA 330 bit); this makes it more difficult for our virus analysts to develop decryption. However, we've been successful, and we added detection and decryption for infected files to our antivirus databases.

Users who have been infected by GpCode.af should download the latest antivirus databases and fully scan their computers.

One point that we want to stress: at the moment, we're still not 100% sure how this virus penetrates victim computers. You should exert maximum caution: don't launch files that you receive via email, and ensure that your operating system and browser is fully patched.

Finally, back up your data on a regular basis. Then if the worst ever does happen - and we hope it won't - you'll still have a copy of whatever you were working on.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users