Variant of blackmailing virus spreading on Internet

Another blackmailing virus. Oh, how lovely - NOT

by Michael Smith (Veshengro)

Security software firm Kaspersky Lab has reported a new and dangerous blackmailing virus and is alerting computer users everywhere about a new variant of Gpcode, a dangerous encryptor virus.

The Virus.Win32.Gpcode.ak malware encrypts users' files with various extensions, including .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more, using an RSA encryption algorithm with a 1024-bit key, and that is a lot.

Kaspersky Lab itself added a virus signature to block Virus.Win32.Gpcode.ak in early June 2008.

Kaspersky Lab says it has succeeded in thwarting previous variants of Gpcode by cracking the private key held by the attackers.

However, the author of the new Gpcode variant has taken two years to improve the virus and previous errors have been fixed and the key has been lengthened to 1024 bits instead of the original 660, which was crackable.

So far, it would appear that Kaspersky have been unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and so far no errors have been found in the implementation. That means, according to Kaspersky, the only way to decrypt the encrypted files, presently, is to use the private key which, unfortunately, only the author of that virus has.

After Gpcode.ak encrypts files on the victim's machine, it changes the extension of these files to ._CRYPT, and places a text file named !_READ_ME_!.txt in the same folder.

In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor: "Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********"

Kaspersky Lab is still working on a way to recover data that has been encrypted without having to use the criminal's decryptor. Let's hope that they will do so and in addition to that that those criminals get caught.

In addition to that, what can one do? Even the best anti-virus software is and will be always one step behind the virus writers and criminals.

While personal vigilance as to where one goes and what email one opens is important, and more often than not it is the bad email protocol of users that bring them those lovely viruses and Trojans. However, Trojans sometimes come packaged in different ways even where the user would not suspect them to be.

See my article “Viruses and Trojans in Trusted Downloads” on how easy it is to have such things reach your computer.

© M Smith (Veshengro), June 2008