An unbreakable piece of malware which is designed to encrypt files on compromised computers with a RSA 1.024 bits algorithm, and hold them captive until the user agrees to pay the attacker for the decrypting tool. Detected as Win32/
Gpcode.G by Microsoft, Trojan.Gpcoder by Symantec and Gpcode.ak by Kaspersky, the malicious code is a ransom-ware Trojan.
“The trojan encrypts all user files (for example, with extensions .txt, .doc, .jpg, .pdf, .chm, .htm, .cpp, .h amongst others) on the infected computer. The encrypted files are saved by appending ‘_crypt’ to the original file name whilst the original files are permanently deleted,” informed Dan Nicolescu, from the Microsoft Malware Protection Center.
Kaspersky Lab, now able to provide users with instruction on how to recover files attacked by the Gpcode.ak virus. As reported earlier, decrypting files encrypted by Gpcode.ak without the private key is not, as yet, possible. However, a method for recovering encrypted files has been identified.
The method makes use of the fact that before encrypting a file, Gpcode.ak creates a new file (which contains encrypted data from the original file) ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.
The free PhotoRec utility, developed by Christophe Grenier, performs the function of recovering files on a selected partition remarkably well. However, restoring the exact file names and paths remains a problem. To address this issue, Kaspersky Lab has developed a small free utility, StopGpcode (ZIP file, 71.2 KB), which restores original file names and the full paths of the files recovered.