Trojan:W32/Gpcode

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:W32/Gpcode, Virus.Win32.Gpcode, Virus.Win32.Gpcode.b

Summary

Gpcode is a trojan that encrypts files with certain extensions on local and remote drives and then asks a user to contact its author to buy a decryption solution.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Note

F-Secure Anti-Virus is able to detect and decrypt files encrypted by the Gpcode trojan. To find and decrypt such files, please scan ALL files on the hard disk.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Basically, the trojan takes the user's files as hostages and asks for a ransom to "free" them, making this a form of ransomware.

The trojan's file is a PE executable about 56 kilobytes long, packed with UPX file compressor.

Execution

After the trojan's file is run by a user it creates a startup key for its file in Windows Registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "services"="[file name]"

where [file name] is the name of the trojan's file.

Activity

The trojan starts to scan local and remote drives for files with the following extensions:

  • .xls
  • .doc
  • .txt
  • .rtf
  • .zip
  • .rar
  • .dbf
  • .htm
  • .html
  • .jpg
  • .db
  • .db1
  • .db2
  • .asc
  • .pgp

When a file with any of these extension is found, the trojan reads it to memory, encrypts file's data with a simple algorithm, saves encrypted data into a new file (the name of this file is 'coder' + original file's name: for example for FILE.PGP the trojan will create the CODERFILE.PGP file), deletes the original file and then renames the newly created file with the name of the original file.

After that the trojan creates a text file named ATTENTION!!!.TXT in the same folder where the encrypted file is located. This .txt file contains the following text:

  • Some files are coded.
  • To buy decoder mail: n781567@yahoo.com
  • with subject: PGPcoder 000000000032

All encrypted files have the following 21 byte text string in their beginning:

  • PGPcoder 000000000032

The encryption algorithm is quite simple - the trojan uses ADD operation on the original file's data with a single byte encryption key. The original value of the encryption key is 58 (0x3a) and it is modified using 2 fixed byte values which are 37 (0x25) and 92 (0x5c) after encryption of each next byte of the original file's data.

While the trojan scans local and remote drives, it keeps a track of all found folders and files in the AUTOSAVE.SIN file that is created in a temporary folder.

After all files are encrypted the trojan terminates its process, deletes its executable file, AUTOSAVE.SIN file and its startup key from the Registry.