New Gpcode version detected. Ransomware strikes again

December 3, 2008 · Filed Under News, Security 

News - A succession of fresh, quality news, from inside and outside of the WebA dangerous malware breed skilled in cryptographic techniques is coming back under the spotlight. Trend Micro has spotted in the wild a new Gpcode variant, the trojan that since 2005 has let everybody know the meaning of the world ransomware, that is a type of malware expressly designed to encrypt the user’s data files asking afterward for a money ransom to restore them.

The new specimen, detected by researcher Ivan Macalintal on Novembre 27, has been classified by Trend Micro as TROJ_RANDSOM.A and initially neutralized through the Smart Protection Network, a proactive defense in cloud computing style based on an on-line threats database. The trojan obviously targets the Windows OSes (excluding Vista and Server 2008) and seeps into the operating system via compromised Web pages or thanks to deployment by other malware. Once executed, the malware displays a screen that would like to fake a typical error message returned by Windows after an application crash.

TROJ_RANDSOM.A

In the backstage the trojan operates to gain control over the OS, by creating the following entries in the Windows Registry to ensure its start-up at any boot of the PC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Active Setup\Installed Components\{Y479C6A0-OTRV-U5KH-S1UE-E0BC10B4E666}
StubPath = “%Windows%\UNINSTLV16.exe”

Then the new GPcode releases several elements and configuration files in the subfolder “torn” under the Windows programs folder, some harmless some others detected as TROJ_RANDSOM.A by Trend Miro. Once taken root into the system the trojan immediately starts to scan all the writable drives, encrypting the files it locates and renaming them with the extension “.xnc“. In any folder with the encrypted files inside is then copied the file “READ THIS.TXT” with the instructions to get back the data.

Trend Micro does not define which file types are targeted by the new GPcode variant, but taking as example the standard features of the entire malware family it’s easy to think about the most common formats of documents and spreadsheets (.doc, .xls, …), file archives (.zip) and images (.jpg). The algorithm type used in the encryption operations is unknown too, and it’s currently impossible to evaluate if TROJ_RANDSOM.A is dangerous as much as Virus.Win32.Gpcode.ak, the variant detected by Kaspersky in June 2008 that made so much sensation for carrying out the powerful RSA algorithm with 1024 bit keys.

The sure thing is that the ransom required by the malware creators amounts to 307 dollars, a sum thanks to which the victims of the new GPcode should get a tool able to recover the encrypted data. How to defend themselves from this threat? TrendLabs, the official Trend Micro blog, just recommends to “back up files so as not to be victimized by ransomware“. A pretty slightly solution, and a clear symptom of the fact that the antivirus software weapons are, at the current state of technology, almost completely blunted against the risk posed by cryptoviruses.

Share this post!
  • Slashdot
  • Digg
  • Reddit
  • StumbleUpon
  • del.icio.us
  • Technorati

Related posts

Tags: , , , , , , , ,

Comments

Leave a Reply