Retour de GPcode ? : all your personal files have been encrypted by a very strong cypher RSA-1024.

Un nouveau venu dans les packs de malwares aujourd’hui…
Ce dernier fait penser à GPCode qui est un ransomware. Ce dernier encode les documents, un message est donné où vous devez envoyer de l’argent pour obtenir la clef pour débloquer vos documents (rien ne garanti qu’elle soit donnée en retour).

Le fond d’écran est modifié :

En plus des documents, les raccourcis sont encodés.

Un fichier HOW TO DECRYPT FILES.txt est créé sur le bureau et ouvert, ce dernier contient ce texte :

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, video) have been encrypted by a very strong cypher RSA-1024. The original files were deleted.  You can check  – just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you – even don’t try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this ‘how to..’ file on desktop):  filemaker@safe-mail.net

44505212A536CB6D189E23A4EA80A97E0735285AAA3A8A3D41443A6DCB60C8C65E8DC58FE9697291436D7097D092C2E2E13DECB51B314612A117F0D3B93F5068
99EB792633D7552B428A7F5568154E597650D5459D2802C6DB66C8B1D31E3476B7378E1C4BCD932B739C53C91C9D27F99637ECCF63AFCE8B227ABAE07DAA1F28

Le malware a des fonctionnalités de Backdoor IRC et se propage par MSN – ce qui fait penser aux Les Virus MSN

:xxx!p@symtec.us TOPIC #nn :.m.s|.m.e Breaking news, a tsunami and possibly earthquake is comming to thailand. Its expected to hit in less then 24 hours. If you do not belive this message, please. View our LIVE Images: http://rapidshare.com/files/454292304/picture935-2011.JPG-thailand.com?=

L’utilisation de rapishare n’étant pas nouvelle :
https://forum.malekal.com/http-rapidshare-com-files-452642308-image545-mileycy-jpg-www-facebook-com-t31855.html
https://forum.malekal.com/post238930.html?hilit=rapidshare#p238930
https://forum.malekal.com/post237285.html?hilit=rapidshare#p237285
https://forum.malekal.com/post237075.html?hilit=rapidshare#p237075
https://forum.malekal.com/post234409.html?hilit=rapidshare#p234409
etc

L’utilisation de la clef Run Windows UDP Control Center
Le mot de passe : letmein
Cela fait penser aux groupes ASC : http://forum.malekal.com/208-183-223-buzus-t27272.html#p215236

Dans le passé Kaspersky avait réussi à casser une des clefs et proposer un removal tools qui redonnait la main aux documents.
Reste à voir si cela est encore possible, si l’infection est bien faite, sachant que casser une clef 1024 est casi impossible, la récupération des documents peut s’avérer difficile.

La détection du dropper au moment où ces lignes sont écrites :

http://www.virustotal.com/file-scan/reanalysis.html?id=cb1f1f83751bfb095f03c90a013d8c24a79630dc5fac21afc396df72c5cdd080-1301058910

 

 

File name: knockout.exe
Submission date: 2011-03-25 12:57:00 (UTC)
Current status: finished
Result: 7/ 41 (17.1%)

 

VT Community

 

not reviewed
Safety score: –
Compact
Print results
Antivirus     Version     Last Update     Result
AhnLab-V3    2011.03.25.01    2011.03.25    –
AntiVir    7.11.5.74    2011.03.25    –
Antiy-AVL    2.0.3.7    2011.03.25    –
Avast    4.8.1351.0    2011.03.25    Win32:Kryptik-AZZ
Avast5    5.0.677.0    2011.03.25    Win32:Kryptik-AZZ
AVG    10.0.0.1190    2011.03.25    –
BitDefender    7.2    2011.03.25    Dropped:Trojan.Generic.KD.167224
CAT-QuickHeal    11.00    2011.03.25    –
ClamAV    0.96.4.0    2011.03.25    –
Commtouch    5.2.11.5    2011.03.24    –
Comodo    8100    2011.03.25    Heur.Packed.Unknown
DrWeb    5.0.2.03300    2011.03.25    BackDoor.IRC.Sdbot.4246
eSafe    7.0.17.0    2011.03.24    –
eTrust-Vet    36.1.8235    2011.03.25    –
F-Prot    4.6.2.117    2011.03.24    –
F-Secure    9.0.16440.0    2011.03.23    –
Fortinet    4.2.254.0    2011.03.25    –
GData    21    2011.03.25    Win32:Kryptik-AZZ
Ikarus    T3.1.1.97.0    2011.03.25    –
Jiangmin    13.0.900    2011.03.25    –
K7AntiVirus    9.94.4211    2011.03.25    –
McAfee    5.400.0.1158    2011.03.25    –
McAfee-GW-Edition    2010.1C    2011.03.25    –
Microsoft    1.6702    2011.03.25    –
NOD32    5984    2011.03.25    –
Norman    6.07.03    None..    –
nProtect    2011-02-10.01    2011.02.15    –
Panda    10.0.3.5    2011.03.25    –
PCTools    7.0.3.5    2011.03.25    –
Prevx    3.0    2011.03.25    –
Rising    23.50.04.06    2011.03.25    –
Sophos    4.64.0    2011.03.25    Mal/FakeAV-IU
SUPERAntiSpyware    4.40.0.1006    2011.03.25    –
Symantec    20101.3.0.103    2011.03.25    –
TheHacker    6.7.0.1.156    2011.03.24    –
TrendMicro    9.200.0.1012    2011.03.25    –
TrendMicro-HouseCall    9.200.0.1012    2011.03.25    –
VBA32    3.12.14.3    2011.03.24    –
VIPRE    8814    2011.03.25    –
ViRobot    2011.3.25.4376    2011.03.25    –
VirusBuster    13.6.269.0    2011.03.25    –
Additional information
MD5   : c66f6f2f100300da50dad509d42cf4ef
SHA1  : 86881e75fd648856fc8c6f4767ae967489b73e12
SHA256: cb1f1f83751bfb095f03c90a013d8c24a79630dc5fac21afc396df72c5cdd080

 

La détection du malware qui encrypte :

 

http://www.virustotal.com/file-scan/report.html?id=832863ece8c7eced9395b8929b1557297feab33f8912210e8ff870ed849baab2-1301062457

 

File name: 1.exe
Submission date: 2011-03-25 14:14:17 (UTC)
Current status: finished
Result: 2/ 43 (4.7%)

 

not reviewed
Safety score: –
Compact
Print results
Antivirus     Version     Last Update     Result
AhnLab-V3    2011.03.25.01    2011.03.25    –
AntiVir    7.11.5.74    2011.03.25    –
Antiy-AVL    2.0.3.7    2011.03.25    –
Avast    4.8.1351.0    2011.03.25    –
Avast5    5.0.677.0    2011.03.25    –
AVG    10.0.0.1190    2011.03.25    –
BitDefender    7.2    2011.03.25    –
CAT-QuickHeal    11.00    2011.03.25    –
ClamAV    0.96.4.0    2011.03.25    –
Commtouch    5.2.11.5    2011.03.24    –
Comodo    8100    2011.03.25    –
DrWeb    5.0.2.03300    2011.03.25    –
Emsisoft    5.1.0.4    2011.03.25    –
eSafe    7.0.17.0    2011.03.24    –
eTrust-Vet    36.1.8235    2011.03.25    –
F-Prot    4.6.2.117    2011.03.25    –
F-Secure    9.0.16440.0    2011.03.23    –
Fortinet    4.2.254.0    2011.03.25    –
GData    21    2011.03.25    –
Ikarus    T3.1.1.97.0    2011.03.25    –
Jiangmin    13.0.900    2011.03.25    –
K7AntiVirus    9.94.4211    2011.03.25    –
Kaspersky    7.0.0.125    2011.03.25    –
McAfee    5.400.0.1158    2011.03.25    –
McAfee-GW-Edition    2010.1C    2011.03.25    –
Microsoft    1.6702    2011.03.25    –
NOD32    5984    2011.03.25    –
Norman    6.07.03    2011.03.24    –
nProtect    2011-02-10.01    2011.02.15    –
Panda    10.0.3.5    2011.03.25    –
PCTools    7.0.3.5    2011.03.25    –
Prevx    3.0    2011.03.25    High Risk Cloaked Malware
Rising    23.50.04.06    2011.03.25    –
Sophos    4.64.0    2011.03.25    Mal/FakeAV-IU
SUPERAntiSpyware    4.40.0.1006    2011.03.25    –
Symantec    20101.3.0.103    2011.03.25    –
TheHacker    6.7.0.1.156    2011.03.24    –
TrendMicro    9.200.0.1012    2011.03.25    –
TrendMicro-HouseCall    9.200.0.1012    2011.03.25    –
VBA32    3.12.14.3    2011.03.25    –
VIPRE    8815    2011.03.25    –
ViRobot    2011.3.25.4376    2011.03.25    –
VirusBuster    13.6.269.0    2011.03.25    –
Additional information
MD5   : 72070d73697bf0654b0fd0945145dba4
SHA1  : 00b5ffca350d130925ebca21c680f600eeaf6b3d
SHA256: 832863ece8c7eced9395b8929b1557297feab33f8912210e8ff870ed849baab2

 

 

 

La Backdoor IRC : http://www.virustotal.com/file-scan/report.html?id=501c5dd144a237d3b755c9940f3d2c33dceda118fcf90b81922fb55579418b32-1301060060

 

File name: 799972
Submission date: 2011-03-25 13:34:20 (UTC)
Current status: finished
Result: 6 /41 (14.6%)

 

Print results
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.03.25.01     2011.03.25     –
AntiVir     7.11.5.74     2011.03.25     –
Antiy-AVL     2.0.3.7     2011.03.25     –
Avast     4.8.1351.0     2011.03.25     Win32:Kryptik-AZZ
Avast5     5.0.677.0     2011.03.25     Win32:Kryptik-AZZ
AVG     10.0.0.1190     2011.03.25     –
BitDefender     7.2     2011.03.25     Trojan.Generic.KD.167224
CAT-QuickHeal     11.00     2011.03.25     –
ClamAV     0.96.4.0     2011.03.25     –
Commtouch     5.2.11.5     2011.03.24     –
Comodo     8100     2011.03.25     –
DrWeb     5.0.2.03300     2011.03.25     BackDoor.IRC.Sdbot.4246
eSafe     7.0.17.0     2011.03.24     –
eTrust-Vet     36.1.8235     2011.03.25     –
F-Prot     4.6.2.117     2011.03.24     –
Fortinet     4.2.254.0     2011.03.25     –
GData     21     2011.03.25     Trojan.Generic.KD.167224
Ikarus     T3.1.1.97.0     2011.03.25     –
Jiangmin     13.0.900     2011.03.25     –
K7AntiVirus     9.94.4211     2011.03.25     –
Kaspersky     7.0.0.125     2011.03.25     –
McAfee     5.400.0.1158     2011.03.25     –
McAfee-GW-Edition     2010.1C     2011.03.25     –
Microsoft     1.6702     2011.03.25     –
NOD32     5984     2011.03.25     –
Norman     6.07.03     2011.03.24     –
nProtect     2011-02-10.01     2011.02.15     –
Panda     10.0.3.5     2011.03.25     –
PCTools     7.0.3.5     2011.03.25     –
Prevx     3.0     2011.03.25     –
Rising     23.50.04.06     2011.03.25     –
Sophos     4.64.0     2011.03.25     Mal/FakeAV-IU
SUPERAntiSpyware     4.40.0.1006     2011.03.25     –
Symantec     20101.3.0.103     2011.03.25     –
TheHacker     6.7.0.1.156     2011.03.24     –
TrendMicro     9.200.0.1012     2011.03.25     –
TrendMicro-HouseCall     9.200.0.1012     2011.03.25     –
VBA32     3.12.14.3     2011.03.24     –
VIPRE     8814     2011.03.25     –
ViRobot     2011.3.25.4376     2011.03.25     –
VirusBuster     13.6.269.0     2011.03.25     –
Additional information
MD5   : c52ab4d91b899e37397ec01e5a69d0cd
SHA1  : ec733d5d5f9ac25c3ec630009acd16dc5d5ab851
SHA256: 501c5dd144a237d3b755c9940f3d2c33dceda118fcf90b81922fb55579418b32

 

EDIT :

La Backdoor IRC se nomme ngrBot :

PASS ngrBot
:Apache2.0 NOTICE AUTH :MOTD
NICK n{FR|XPa}dvrgypt
USER dvrgypt 0 0 :dvrgypt
JOIN #ngr ngrBot
:Apache2.0 001 n{FR|XPa}dvrgypt
:Apache2.0 002 n{FR|XPa}dvrgypt
:Apache2.0 003 n{FR|XPa}dvrgypt
:Apache2.0 004 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 422 n{FR|XPa}dvrgypt :MOTD
:n{FR|XPa}dvrgypt MODE n{FR|XPa}dvrgypt :+iwG
:n{FR|XPa}dvrgypt!dvrgypt@xxxxxxxxxxx.fr JOIN :#ngr
:Apache2.0 332 n{FR|XPa}dvrgypt #ngr :.up http://rapidshare.com/files/454361616/ngr_fud.exe f02b7f011d753250cec3286ad91f6724 .msn.int # .msn.set http://redir.ec/photoalbum2011
:Apache2.0 333 n{FR|XPa}dvrgypt #ngr xxx 1301073359
JOIN #ngr ngrBot
PRIVMSG #ngr :[MSN]: Updated MSN spread interval to « 7 »
PRIVMSG #ngr :[MSN]: Updated MSN spread message to « http://redir.ec/photoalbum2011″
:Apache2.0 404 n{FR|XPa}dvrgypt #ngr :You must have a registered nick (+r) to talk on this channel (#ngr)
:Apache2.0 404 n{FR|XPa}dvrgypt #ngr :You must have a registered nick (+r) to talk on this channel (#ngr)
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0

Possible détection : Worm:Win32/Dorkbot.gen!A Chez Microsoft et IM-Worm.Win32.Ckbface chez Kaspersky :

EDIT :

Poste chez Kaspersky : http://www.securelist.com/en/blog/6165/Ransomware_GPCode_strikes_back