Virus.Win32.Gpcode.ak - .:: HVAOnline ::.

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thảo luận virus, trojan, spyware, worm...

Virus.Win32.Gpcode.ak

[Question] Virus.Win32.Gpcode.ak	09/06/2008 11:58:21 (+0700) \| #1 \| 134739

Phuongdong
Advisor

Joined: 10/03/2003 17:46:03
Messages: 323
Offline

We've detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you're a regular visitor to Viruslist, you might remember reading about Gpcode a couple of years ago.

We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can't currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.

The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.

As I've said above, we've come across Gpcode before (see Blackmailer for the full story). Two years ago we were able to get the private key by detailed analysis of the data at our disposal. However, the maximum RSA key length we've been able to ‘crack’ to date is 660 bits. We were able to do this as the author had made some mistakes when implementing the encryption algorithm.

The author has bided his time, waiting almost two years before creating a new, improved variant of this file encryptor. Gpcode.ak doesn't not repeat the errors found in previous versions of the virus. Back in 2006 when we detected the first versions of Gpcode to use RSA, this sounded an alarm: we warned that we wouldn't be able to help decrypt encrypted files if the virus writer implemented the RSA encryption algorithm correctly. It would be a case for law enforcement; encrypting files in this way is tantamount to a cybercriminal copying user files to his own machine, and deleting them from the user's infected machine without consent – an illegal action.

Once the virus has encrypted a user's files, it leaves the following text message along with the files it has encrypted:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»

Unfortunately, at the time of writing it's still not clear how the virus spreads. To protect your machine, you should enable all components of whatever anti-malware protection that you have installed.

ATTENTION! If you see the following message on your computer:

...Then, in all probability, you have been attacked by Gpcode.ak. In this case, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.

Contact us by email stopgpcode@kaspersky.com and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

• which programs you have executed,
• which websites you have visited, etc.

We'll try and help you recover any data that has been encrypted.

Our analysts are continuing to analyze the virus code in search of a way of decrypting files without having the private key. In the meantime, do take extra care as you surf and read email. And if you see the above messages…do follow our instructions.

We'll be posting updates here when we have more news.

http://www.viruslist.com/en/weblog?weblogid=208187524
http://www.viruslist.com/en/alerts?alertid=203996088

[Question] Re: Virus.Win32.Gpcode.ak	09/06/2008 12:32:06 (+0700) \| #2 \| 134741

Merc
Member

Joined: 20/07/2004 06:21:59
Messages: 14
Offline

RSA 1024bits smilie

.

Thằng này hiểm quá trời luôn ^.^.

[Question] Re: Virus.Win32.Gpcode.ak	09/06/2008 21:22:35 (+0700) \| #3 \| 134750

kienmanowar
HVA Friend

Joined: 13/07/2004 05:57:34
Messages: 483
Offline

Unfortunately, at the time of writing it's still not clear how the virus spreads.

Con này hiểm thật, nó encrypt các file của người ta smilie

...

[Question] Re: Virus.Win32.Gpcode.ak	10/06/2008 12:04:38 (+0700) \| #4 \| 134834

tieuvuong_net
Member

Joined: 10/04/2004 19:48:33
Messages: 105
Location: The Dark
Offline

Bác PD quan tâm đến tình hình virus ác thật.

smilie

em chưa chạm trán chú nào kiểu này. Kiểu tống tiền này hiểm thật, tiếc là thông tin về dòng virus này mà Kas đề cập đến cũng chỉ đưa ra một thông báo rồi, nhắc gửi thư đến cho Kas...

[Question] Re: Virus.Win32.Gpcode.ak	13/06/2008 03:54:25 (+0700) \| #5 \| 135215

nguyenoanh_hkpro
Member

Joined: 23/05/2008 15:32:13
Messages: 13
Offline

RSA -1024-bit là 1 thuật toán mã hóa cực mạnh , rất khó có thể phá được.Hãng Kapersky ước tính cần phải có 15 triệu PC cao cấp vận hành liên tục trong khoảng một năm mới đủ sức phá được khóa bảo mật 1024-bit này.Kinh wa.hic.Nghe nói là cơ chế mã hóa của nó đã lên đến 4096-bit RSA.!!! Pó tay smilie

[Question] Re: Virus.Win32.Gpcode.ak	17/06/2008 00:48:17 (+0700) \| #6 \| 135799

thosan91
Member

Joined: 07/04/2008 19:47:49
Messages: 6
Offline

em đọc tiếng Anh không hiểu gì hết nhưng em muốn hiểu sâu hơn có ai giải thích cho em không?
Có thể sử dụng con này không. Có ai chỉ em học về trojan không? Cho em vài con dùng thử!!!!!!!!! smilie

[Question] Re: Virus.Win32.Gpcode.ak	17/06/2008 09:35:22 (+0700) \| #7 \| 135919

K4i
Moderator

Joined: 18/04/2006 09:32:13
Messages: 635
Location: Underground
Offline

nguyenoanh_hkpro wrote:

RSA -1024-bit là 1 thuật toán mã hóa cực mạnh , rất khó có thể phá được.Hãng Kapersky ước tính cần phải có 15 triệu PC cao cấp vận hành liên tục trong khoảng một năm mới đủ sức phá được khóa bảo mật 1024-bit này.Kinh wa.hic.Nghe nói là cơ chế mã hóa của nó đã lên đến 4096-bit RSA.!!! Pó tay

hì, RSA 1024 mà bị phá thì hạ tầng an ninh của Internet chắc sẽ có sự thay đổi lớn.
Câu trả lời, duy nhất là duyệt web bằng linux, trong thời buổi loạn lạc nhiễu nhương này smilie

Sống là để không chết chứ không phải để trở thành anh hùng

[Question] Re: Virus.Win32.Gpcode.ak	20/06/2008 14:45:43 (+0700) \| #8 \| 136546

war3zl33ch3r
Member

Joined: 29/12/2007 03:43:31
Messages: 7
Offline

K4i wrote:

Câu trả lời, duy nhất là duyệt web bằng linux, trong thời buổi loạn lạc nhiễu nhương này

Em vẫn dùng Windows, không có AV, cũng chẳng có FW. Lâu lắm ko gặp virus, bác nào có Gpcode sample up lên em tham khảo với smilie

Phuongdong wrote:

We've detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you're a regular visitor to Viruslist, you might remember reading about Gpcode a couple of years ago.

Dữ liệu quan trọng không encrypt, backup thường xuyên mà dính con này đành phải chịu thôi.
Có thêm một bài học đắt giá, lần sau sẽ cẩn thận hơn smilie

[Question] Re: Virus.Win32.Gpcode.ak	22/06/2008 03:13:45 (+0700) \| #9 \| 136803

lamhoang20002000
Member

Joined: 03/04/2005 16:32:02
Messages: 52
Offline

@K4i: nghe có lý, linux ít bị dính virus. Có điều Linux không thông dụng và không dễ sử dụng như Windows.

Go to:

Users currently in here
1 Anonymous