< HTTP-based Botnets | IFrame Injection Attacks >

Gpcode.ak vs. CWSandbox

Recently a new variant of Gpcode was detected by the researchers from Kaspersky Lab. Gpcode is a form of ransomware, a pretty nasty form of malware that is used in extortion attempts. The basic idea of such malware is to encrypt certain files on the hard disk with a key only known to the attacker and then blackmail the victim to press money.

Upon startup, Gpcode.ak searches for specific files on the disk (extensions are for example .htm, .jpg, and .inc) and encrypts them with a 1024 bit RSA key. The file extension is then replaced with $ORIGINAL._CRYPT. Once this is finished, the malware displays a pop-up with the following text:
Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: cipher4000@yahoo.com

Furthermore, also a file named !READ_ME!.txt is created on the disk that contains the following text:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: cipher4000@yahoo.com

=== BEGIN ===
AD7D6889
010200000168000000A400008EE1630FA688F194
42766F3AE19D5483AAE44C246F66C15F5C6D0E38
0B402EF1B67A0FF10A8A08CADB2DEA19EBD957EF
151ED9365CD730BE54263C3E2FDCEDF8546FF33E
5017032833DCB0C306EA28D79CD6DB4C0E7CE96D
3B84E83EEC84740FED2D64B672148E6F86B06B16
890102FF0D22AE42D3CD4B0F7D7E2AD0A5C0724C
=== END ===

Kasperky Labs called for aid to "Help crack Gpcode", but I doubt that cracking this key is successful. Dancho has some more info on Gpcode.ak in his blog. Furthermore, the full CWSandbox report is available.
This entry was posted by Thorsten Holz on Tuesday, June 10. 2008 at 19:04. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.