Win32/Gpcode [Threat Name] go to Threat

Win32/Gpcode.NAI [Threat Variant Name]

Category trojan
Size 200704 B
Detection created Sep 16, 2012
Detection database version 7483
Aliases Trojan-Ransom.Win32.Crypren.pjx (Kaspersky)
  Ransom:Win32/Fortrypt.A (Microsoft)
  Trojan.PWS.Stealer.15571 (Dr.Web)
Short description

Win32/Gpcode.NAI is a trojan that encrypts files on fixed, removable and network drives.

Installation

The trojan may create copies of itself in the folder:

  • %programfiles%

The following filename is used:

  • file.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%programfiles%\­file.exe"

This causes the trojan to be executed on every system start.


The trojan creates the following file:

  • %temp%\­%variable2% (91648 B)

The file is then executed.


The trojan executes the following files:

  • %malwarefilepath%

The trojan creates and runs a new thread with its own code within these running processes.


The trojan quits immediately if the executable file path contains one of the following strings:

  • appd

A string with variable content is used instead of %variable1-2% .

Payload information

Win32/Gpcode.NAI is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.0??
  • *.1cd
  • *.3fr
  • *.3gp
  • *.7z
  • *.?ar
  • *.abk
  • *.accdb
  • *.adf
  • *.ai
  • *.arc
  • *.arj
  • *.arw
  • *.ashbak
  • *.ashdisk
  • *.avi
  • *.ba?
  • *.backup
  • *.bk?
  • *.bmp
  • *.bup
  • *.cdr
  • *.cdx
  • *.cer
  • *.cf
  • *.cfu
  • *.cr?
  • *.cs?
  • *.da?
  • *.dbf
  • *.dcr
  • *.der
  • *.dic
  • *.divx
  • *.djvu
  • *.dng
  • *.doc
  • *.doc?
  • *.dt
  • *.dwg
  • *.dx?
  • *.e?f
  • *.efd
  • *.eps
  • *.er?
  • *.fbw
  • *.fh
  • *.flv
  • *.frp
  • *.gh?
  • *.gif
  • *.gzip
  • *.hbi
  • *.hdb
  • *.htm
  • *.html
  • *.ifo
  • *.img
  • *.indd
  • *.iso
  • *.iv2i
  • *.jpeg
  • *.jpg
  • *.kdc
  • *.key
  • *.kwm
  • *.ld?
  • *.m2v
  • *.max
  • *.md
  • *.md?
  • *.mef
  • *.mkv
  • *.mov
  • *.mp4
  • *.mpeg
  • *.mpg
  • *.mrw
  • *.nba
  • *.ndf
  • *.nef
  • *.nr?
  • *.od?
  • *.ol?
  • *.one
  • *.orf
  • *.p12
  • *.p7?
  • *.pb?
  • *.pd?
  • *.pef
  • *.pem
  • *.pfx
  • *.png
  • *.pps
  • *.pps?
  • *.ppt
  • *.ppt?
  • *.psd
  • *.pst
  • *.ptx
  • *.pwm
  • *.qbw
  • *.r??
  • *.sco
  • *.sef
  • *.sk
  • *.sr2
  • *.srf
  • *.srw
  • *.tbk
  • *.tc
  • *.tib
  • *.tif
  • *.tmd
  • *.txt
  • *.v?
  • *.v??
  • *.v???
  • *.wb2
  • *.wbb
  • *.wim
  • *.wmv
  • *.wpd
  • *.wps
  • *.x3f
  • *.xl?
  • *.xls?
  • *.xml
  • *.z?
  • *.z??
  • *.z???

It avoids files which contain any of the following strings in their path:

  • index.dat

The trojan encrypts the file content.


The extension of the encrypted files is changed to:

  • .LOL!

The following file is dropped into the %currentfolder%, %desktop% folder: how to get data.txt It contains the following text:

  • Hello boys and girls! Welcome to our high school "GPCODE"!
  • If you are reading this text (read this very carefully, if you can read), this means that you have missed a lesson about safety and YOUR PC HACKED !!! Dont worry guys - our school specially for you! The best teachers have the best recommendations in the world! Feedback from our students, you can read here:
  • 1)http://forum.kaspersky.com 2)http://forum.drweb.com 3)http://forum.eset,com 4)www.forospyware.com
  • As you see- we trust their training, only we have special equipment(cryptor.exe and decryptor.exe) and only here you will get an unforgettable knowledge!
  • The lesson costs not expensive. Calculate the time and money you spend on recovery. Time is very expensive, almost priceless.We think that it is cheaper to pay for the lesson and never repeat the mistakes.We guarantee delivery of educational benefits(decryptor.exe). First part(cryptor.exe) you have received :-)
  • SERIOUSLY
  • Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES.No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor etc repair tools are useless and can destroy your files irreversibly.
  • If you want to restore files - send e-mail to gpcode@gp2mail.com       with the file "how to get data.txt" and 1-2 encrypted files less than 5 MB. PLEASE USE PUBLIC MAIL LIKE YAHOO or GMAIL.
  • You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
  • P.S. Remember, we are not scammers. We don`t need your files. After one month all your files and keys will be deleted.Oops!Just send a request immediately after infection. All data will be restored absolutelly. Your warranty - decrypted samples and positive feedbacks from previous users.

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When files encryption is finished, the trojan removes itself from the computer.

Other information

The trojan may display a dialog box with the title:

  • Oohkotokia!

Some examples follow.

Please enable Javascript to ensure correct displaying of this content and refresh this page.