Home / malware Virus:W32/Gpcode.AK
First posted on 25 June 2008.
Source: SecurityHomeAliases :
There are no other names known for Virus:W32/Gpcode.AK.
Explanation :
Gpcode.AK is "ransom-ware" that intends to extort money from the victim by encrypting data files.
It requires the victim to order the malware author's custom tool to restore the encrypted data.
right]Gpcode.AK searches drives C to Z for the following file types on the system:
- 7z
- abd
- abk
- acad
- ace
- arh
- arj
- arx
- asm
- bak
- bcb
- bz
- bz2
- c
- cc
- cdb
- cdr
- cdw
- cer
- cgi
- chm
- cnt
- cpp
- css
- csv
- db
- db1
- db2
- db3
- db4
- dba
- dbb
- dbc
- dbd
- dbe
- dbf
- dbm
- dbo
- dbq
- dbt
- dbt
- dbx
- djvu
- doc
- dok
- dpr
- dwg
- dxf
- ebd
- eml
- eni
- ert
- fax
- fjs
- flb
- frg
- frm
- frt
- frx
- gfa
- gfd
- gfr
- gtd
- gz
- gzip
- h
- hpp
- htm
- html
- iges
- igs
- inc
- jad
- jar
- java
- jfi
- jpe
- jpeg
- jpg
- jsp
- key
- kwm
- ldiflst
- ldr
- lsp
- lzh
- lzw
- man
- mdb
- mht
- mmf
- mnb
- mns
- mnu
- mo
- msb
- msg
- mxl
- old
- p12
- pak
- pas
- pem
- pfx
- pgp
- php
- php3
- php4
- pl
- pm3
- pm4
- pm5
- pm6
- prf
- prx
- pst
- pw
- pwa
- pwl
- pwm
- rar
- rmr
- rnd
- rtf
- safesar
- sig
- sql
- tar
- tbb
- tbb
- tbk
- tdf
- tgz
- txt
- uue
- vb
- vcf
- wab
- xls
- xml
It then encrypts the discovered files using an RSA algorithm and renames them with a ._CRYPT extention and deletes the original files.
As a ransom note, it drops the file !_READ_ME_!.txt to the directory that requires the victim to buy a custom decrypting tool from the malware author.Last update 25 June 2008