1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Gpcoder.G Activity

System Infected: Trojan.Gpcoder.G Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Gpcoder malware activity on the infected machine.

Additional Information

The Trojan may be downloaded as the following file:
%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe

When executed, the Trojan searches the compromised computer for files with the following extensions:
.1cd
.3gp
.avi
.bmp
.cdr
.cer
.dbf
.doc
.doc
.docx
.docx
.dwg
.flv
.ifo
.jpeg
.jpg
.kwm
.lnk
.m2v
.max
.md
.mdb
.mdb
.mdf
.mov
.mp3
.mpeg
.mpg
.odt
.p12
.pdf
.pfx
.ppt
.pptx
.psd
.pwm
.rar
.txt
.vob
.xls
.xls
.xlsx
.xlsx
.zip

It then encrypts the first half of all files found.

The Trojan adds the following extension to the file names of all files it encrypts:
.ENCODED

The Trojan then creates the following file, which it sets as the desktop wallpaper:
%Temp%\[RANDOM LOWER CASE LETTERS].bmp

The above file is an image that contains the following message:
ATTENTION!!!!!!

ALL YOUR PERSONAL FILES WERE ENCRYPTED WITH A STRONG ALGORTHYM RSA-1024 AND YOU CAN'T GET ACCESS TO THEM WITHOUT MAKING OF WHAT WE NEED!

READ 'HOW TO DECRYPT' TXT-FILE ON YOUR DESKTOP FOR DETAILS

JUST DO IT AS FAST AS YOU CAN!

REMEMBER: DON'T TRY TO TELL SOMEONE ABOUT THIS MESSAGE IF YOU WANT TO GET YOUR FILES BACK! JUST DO ALL WE TOLD.

Next, the Trojan creates the following file:
%UserProfile%\Desktop\HOW TO DECRYPT FILES.txt

It then opens the above file using notepad.exe and displays the following text:
Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. After n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help you to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to a message a full serial key shown below in this 'how to..' file on desktop):
[EMAIL ADDRESS REMOVED]
[KEY REMOVED]

Affected

  • Various platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube