Focus on Virus
GPCODE Virus Decryptor Technique May 06 2010 06:39PM
s34c0d3r gmail com (2 replies)
Re: GPCODE Virus Decryptor Technique May 07 2010 11:25AM
Axel.Pettinger (at) t-online (dot) de [email concealed] (Axel Pettinger t-online de)
Re: GPCODE Virus Decryptor Technique May 07 2010 09:01AM
John Morrison (john morrison101 googlemail com)
Tarun,

Personally I would delete all the encrypted files and recover the
originals from backup.

SecureList (http://www.securelist.com/en/descriptions/old313444) says:
"The virus uses Microsoft Enhanced Cryptographic Provider v1.0 (built
into Windows) to encrypt files. Files are encrypted using the RC4
algorithm. The encryption key is then encrypted using an RSA public
key 1024 bits in length which is in the body of the virus.

The RSA encryption algorithm divides encryption keys into public and
private. Only the public key is needed to encrypt messages. An
encrypted message can be decrypted only using the private key."

"At the moment, it's not possible to decrypt files encrypted by
Gpcode. However, you can use PhotoRec to recover your original files
which were deleted by Gpcode after the virus created an encrypted
version of the files.

The utility can be used to recover Microsoft Office documents,
executable files, PDF and TXT documents, and also certain file
archives. Here (http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec)
is a full list of supported file formats.

PhotoRec is part of the TestDisk package. The latest version of
TestDisk, including PhotoRec, can be found here
(http://www.cgsecurity.org/testdisk-6.10-WIP.win.zip)."

Kaspersky says (http://www.kaspersky.co.uk/news?id=207575654) pretty
much the same.

F-Secure claims to be able to decrypt
(http://www.f-secure.com/v-descs/gpcode.shtml#disinf). However, it
says that the May 2005 version detects this virus, so it may be an old
version of GPCode files that it can decrypt and the malware authors
have fixed their encryption implementation since then.

On 6 May 2010 19:39, <s34c0d3r (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> Does anyone knows the way to decrypt the GPCODE encrypted files.
> Getting deleted files from recovery software is one option but is there any way to decrypt those file.
>
> Tarun Kalla
>
> ------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
---
>
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus