cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 11 of 11

Re: Malware undetectable

Symantec calls this Trojan.GpCoder; Dr Web calls it Trojan.Encoder.94; Trendmicro calls it Troj_Ransom.BXA; McAfee probably calls it GpCoder-dot-something.

The encryption is not over-complicated : it's TEA.

There's a full analysis of an earlier version of this, complete with source code, at

http://xylibox.blogspot.co.uk/2011/01/gpcode-ransomware-2010-simple-analysis.html


The first fix provided for this variant may not work if the encryption has changed, so the best advice I can give is for you to contact the Russian company which has been providing the fixes and submit a sample file for analysis. They will then provide you with the key to decrypt the files.

Advice from the Google forum discussion thread at https://productforums.google.com/forum/#!topic/gmail/qo0xd0MM1Z8:

Trojan.Encoder - Google Groups.png

That email address above is https://vms.drweb.com/sendvirus/?lng=en

Dr Web have a page on Trojan.Encoder.94 at http://news.drweb.com/show/?i=2356&lng=en&c=14 :

To minimize the damage from an infection by Trojan.Encoder.94, Doctor Web recommends users to back up all the files they need for their work. If your files have been compromised by the Trojan, use the following guidelines to avoid possible data losses:

  • Never attempt to solve the problem by reinstallling the operating system.
  • Do not delete any files from the hard drives.
  • Do not try to restore the encrypted data on your own.
  • Contact Doctor Web's technical support. When file a request, select Request for curing. This service is provided free of charge.
  • Attach a doc or. txt file encrypted by the Trojan to the ticket.
  • Wait for a response from a virus analyst. Due to the large number of requests it may take some time.

http://vms.drweb.com/virus/?i=1733220

Technical Information

Malicious functions:

Executes the following:

  • <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.hdmp 16325836412027092
  • <SYSTEM32>\rundll32.exe <SYSTEM32>\sysdm.cpl,NoExecuteProcessException %WINDIR%\explorer.exe
  • %WINDIR%\explorer.exe
  • <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.mdmp 16325836412027072

Modifies file system :

Creates the following files:
  • %TEMP%\WER9c75.dir00\appcompat.txt
  • %TEMP%\WER9c75.dir00\manifest.txt
  • %TEMP%\WER9c75.dir00\explorer.exe.mdmp
  • %TEMP%\WER9c75.dir00\explorer.exe.hdmp

A full list of files which are modified by this Trojan, and Registry keys which are created or modified, can be found at

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-VRC/detaile...

- scroll down to about two-thirds of the way down the webpage to find the list.

After running the fix from Dr Web you will need to run a Malwarebytes or a similar program to remove the traces of infection. I don't know whether Stinger would clean these traces, but you might want to give that a try first : I do know that Malwarebytes cleans this infection.

One point to note is that the fix supplied by Dr Web seems designed only to work on the local file system. The Trojan may infect files on other drives -

http://www.symantec.com/connect/articles/custom-ips-block-trojangpcoder-ransom-trojan :

The biggest problem with this trojan is the fact that it encrypts files on fileshares.

One of the Google forum posters has a solution if that has happened :

User sends extortion claim after hyjacking a server - Google Groups.png

I hope this information is useful to you. Let us know if you manage to recover all the files and clean your system/network.

Message was edited by: Hayton on 20/05/12 05:30:29 IST