Also, this is a new variant of the virus W32.GPCOder.
This is a known Trojan, decryption of the files should be relatively simple. I'll check that the method still works and will post again later.
Moved to Corporate User Assistance just in case....
I was able to decrypt the infected files using a thrird party utility. But till now am unable to detect the virus. Customer s expecting a extra dat from Mcafee so that virus can ve detected. I have run the GETSUSP toll but nothing spcific found.
We have blocked the virus by creating the access protection rule. But we would want to get it detected by Mcafee.
Symantec calls this Trojan.GpCoder; Dr Web calls it Trojan.Encoder.94; Trendmicro calls it Troj_Ransom.BXA; McAfee probably calls it GpCoder-dot-something.
The encryption is not over-complicated : it's TEA.
There's a full analysis of an earlier version of this, complete with source code, at
The first fix provided for this variant may not work if the encryption has changed, so the best advice I can give is for you to contact the Russian company which has been providing the fixes and submit a sample file for analysis. They will then provide you with the key to decrypt the files.
Advice from the Google forum discussion thread at https://productforums.google.com/forum/#!topic/gmail/qo0xd0MM1Z8:
That email address above is https://vms.drweb.com/sendvirus/?lng=en
Dr Web have a page on Trojan.Encoder.94 at http://news.drweb.com/show/?i=2356&lng=en&c=14 :
To minimize the damage from an infection by Trojan.Encoder.94, Doctor Web recommends users to back up all the files they need for their work. If your files have been compromised by the Trojan, use the following guidelines to avoid possible data losses:
- Never attempt to solve the problem by reinstallling the operating system.
- Do not delete any files from the hard drives.
- Do not try to restore the encrypted data on your own.
- Contact Doctor Web's technical support. When file a request, select Request for curing. This service is provided free of charge.
- Attach a doc or. txt file encrypted by the Trojan to the ticket.
- Wait for a response from a virus analyst. Due to the large number of requests it may take some time.
Technical InformationMalicious functions:
Executes the following:
- <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.hdmp 16325836412027092
- <SYSTEM32>\rundll32.exe <SYSTEM32>\sysdm.cpl,NoExecuteProcessException %WINDIR%\explorer.exe
- <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.mdmp 16325836412027072
Modifies file system :Creates the following files:
A full list of files which are modified by this Trojan, and Registry keys which are created or modified, can be found at
- scroll down to about two-thirds of the way down the webpage to find the list.
After running the fix from Dr Web you will need to run a Malwarebytes or a similar program to remove the traces of infection. I don't know whether Stinger would clean these traces, but you might want to give that a try first : I do know that Malwarebytes cleans this infection.
One point to note is that the fix supplied by Dr Web seems designed only to work on the local file system. The Trojan may infect files on other drives -
The biggest problem with this trojan is the fact that it encrypts files on fileshares.
One of the Google forum posters has a solution if that has happened :
I hope this information is useful to you. Let us know if you manage to recover all the files and clean your system/network.
I see you got tired of waiting and found the fix for yourself while I was away. I take it the "third party" was Dr Web?
McAfee lists 14 variants of "GpCoder" but gives no clue which of the 14 this one is. Presumably the Trojan is detectable, although if it is being repeatedly modified there is always a risk that a new version will not be detected. I would expect detection of this Trojan to be included in Stinger.
And this thread belongs in Top Threats, so I've moved it back there.
The issue we are having is, we are unable to detect the virus, We have blocked it by creating a access protection rulw but we would need to have an extr dat from Mcafee so that the files are detected and cleaned.