Russian extortion Trojan hits web
Malware variant spreads anew.
By John E Dunn | Techworld | Published: 14:46, 06 June 2006
A week after a woman from the UK was reported to have fallen victim to a new encryption Trojan, Arhiveus-A, an older rival has reappeared on the Internet.
Kaspersky Lab is reporting that a new version of GpCode – full name Win32.GpCode.ae in the company’s terminology - is now spreading across Russian websites.
GpCode is reckoned to be the first encryption/blackmail Trojan to have been discovered, after it was traced to Russian websites in the Spring of 2005.
This March, another version of the same technique appeared in the form of Cryzip, while the last week’s Archiveus.A attack represented a third family.
All of them work using the same basic technique of archiving and/or encrypting a user’s files, and asking for payments or purchases from Internet sites in exchange for a password to unlock files. Infection rates tend to be kept to a deliberately low level in order to extend the blackmail window for as long as possible before detection by security companies.
The new version of GpCode swaps RSA 67-bit encryption for the harder-to-crack RSA 260-bit. As with the original Gpcode, the origin appears to be Russian.
Kaspersky said the Trojan did not use a passphrase to decrypt directories as such, so such information could not be published. It had added an automatic decryption routine for anyone using subscribing to its products.
