high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 18 July 2007 18:19:43 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/GPCoder-G is a Trojan for the Windows platform that encrypts users' documents and asks the user to send money to the authors in order to decrypt them.
When Troj/GPCoder-G is first run it creates the file <System>\ntos.exe which is also detected as Troj/GPCoder-G.
The following registry entry is changed to run ntos.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,
Troj/GPCoder-G searches the computer for files in common document formats and encrypts them so they can no longer be used. Troj/GPCoder-G may also attempt to send the contents of those files to a remote server. It then drops the file read_me.txt in the same folder containing the following text:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: <removed>@gmail.com and provide us
your personal code <unique identifier>. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
|
