Other versions: .ac, .ad, .ae, .af, .ag, .ai, .ak
| Detection added |
Jun 27 2005 |
| Update released |
Jun 27 2005 10:07 GMT |
| Description added |
Jun 28 2005 |
| Behavior |
Virus |
| Platform |
Win32 |
This file virus is a Windows PE EXE file, packed using UPX. The packed file
is approximately 56KB in size, and the unpacked file is approximately 122KB
in size.
Once launched, the virus will encrypt files with the following extensions
on the victim machine:
arj
cdr
cgi
css
csv
db
dbf
dbt
dbx
doc
flb
frm
frt
frx
gtd
gz
htm
html
kwm
mdb
mmf
pak
pdf
pl
pst
pwa
pwl
pwm
rar
rmr
rtf
sar
tar
tbb
txt
xls
xml
zip
The original virus file will be deleted after launch.
The following text can be seen at the beginning of encrypted files:
PGPcoder
A file named readme.txt will appear in folders which contain encrypted files.
The contents of readme.txt are as follows:
Some files are coded.
To buy decoder mail: md56@mail.ru
with subject: PGPcoder md56
The text may give a different email address or decrypter version, depending
on the version of Virus.Win32.GPCode.
If the user contacts the email address listed in readme.txt, they will receive
an answer asking for a specific sum of money in return for decrypting files.
