"Your files have been virus-encrypted" but don't panic

Stuart Corner
Wednesday, 18 July 2007 14:11

Business IT - Security

Security specialist Kaspersky Lab has detected a new version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.

Kaspersky says Virus.Win32.Gpcode.ai uses a complex encryption algorithm to encrypt user files and archives, making it impossible to open them. It then drops a file titled "read_me.txt" to the victim machine, which contains the message "Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data."

However, according to Kaspersky: the claim that user files are sent to the malicious user is false; a modified version of RC4 and not RSA-4096 is used for encryption; and it has always been successful in finding the decryption key for files encrypted by previous versions of Gpcode.

"Kaspersky Lab analysts have also created a decryption routine for encrypted files which will be added to the antivirus databases in the very near future."

Kaspersky has added signatures for Virus.Win32.Gpcode.ai to its Anti-Virus databases, and recommends all users to update their databases.