1 2 Previous Next 10 Replies Latest reply on May 22, 2012 7:07 AM by SamSwift

    Malware undetectable (Trojan GpCoder - ransomware)

      hi,

       

      Our client network was infected with a virus which is still undetctable by any of the major vendors. The characteristic are , all the excel, ,jpg, wmv and many more files get changed. Example, if a file is named Mcafee.xlsx, once the virus is infected, the name of the file changes to Mcafee.xlsx.EnciPhEdEd. The file also become unusable. We will have to use a thrid part utility to decrypt the file

       

      Does any of u had the same issue or do we have any Extra dat. I have sent many samples to Mcafee support but no use. Mcafee Gold support is not good, they do not respond too.

       

       

      Message was edited by: Hayton - modifying subject header to clarify which malware is involved - on 20/05/12 05:44:55 IST
        • 1. Re: Malware undetectable

          Also, this is a new variant of the virus W32.GPCOder.

          • 2. Re: Malware undetectable
            Hayton

            This is a known Trojan, decryption of the files should be relatively simple. I'll check that the method still works and will post again later.

            • 3. Re: Malware undetectable
              exbrit

              Moved to Corporate User Assistance just in case....

              • 4. Re: Malware undetectable

                Hello Hayton,

                 

                I was able to decrypt the infected files using a thrird party utility. But till now am unable to detect the virus. Customer s expecting a extra dat from Mcafee so that virus can ve detected. I have run the GETSUSP toll but nothing spcific found.

                • 5. Re: Malware undetectable

                  Hello,

                   

                  We have blocked the virus by creating the access protection rule. But we would want to get it detected by Mcafee.

                  • 6. Re: Malware undetectable
                    Hayton

                    Symantec calls this Trojan.GpCoder; Dr Web calls it Trojan.Encoder.94; Trendmicro calls it Troj_Ransom.BXA; McAfee probably calls it GpCoder-dot-something.

                     

                    The encryption is not over-complicated : it's TEA.

                     

                    There's a full analysis of an earlier version of this, complete with source code, at

                    http://xylibox.blogspot.co.uk/2011/01/gpcode-ransomware-2010-simple-analysis.htm l

                     


                    The first fix provided for this variant may not work if the encryption has changed, so the best advice I can give is for you to contact the Russian company which has been providing the fixes and submit a sample file for analysis. They will then provide you with the key to decrypt the files.

                     

                    Advice from the Google forum discussion thread at https://productforums.google.com/forum/#!topic/gmail/qo0xd0MM1Z8:

                    Trojan.Encoder - Google Groups.png

                    That email address above is https://vms.drweb.com/sendvirus/?lng=en

                     

                    Dr Web have a page on Trojan.Encoder.94 at http://news.drweb.com/show/?i=2356&lng=en&c=14 :

                     

                    To minimize the damage from an infection by Trojan.Encoder.94, Doctor Web recommends users to back up all the files they need for their work. If your files have been compromised by the Trojan, use the following guidelines to avoid possible data losses:

                    • Never attempt to solve the problem by reinstallling the operating system.
                    • Do not delete any files from the hard drives.
                    • Do not try to restore the encrypted data on your own.
                    • Contact Doctor Web's technical support. When file a request, select Request for curing. This service is provided free of charge.
                    • Attach a doc or. txt file encrypted by the Trojan to the ticket.
                    • Wait for a response from a virus analyst. Due to the large number of requests it may take some time.

                     

                    http://vms.drweb.com/virus/?i=1733220

                    Technical Information

                     

                    Malicious functions:

                     

                    Executes the following:

                    • <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.hdmp 16325836412027092
                    • <SYSTEM32>\rundll32.exe <SYSTEM32>\sysdm.cpl,NoExecuteProcessException %WINDIR%\explorer.exe
                    • %WINDIR%\explorer.exe
                    • <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.mdmp 16325836412027072

                    Modifies file system :

                     

                    Creates the following files:
                    • %TEMP%\WER9c75.dir00\appcompat.txt
                    • %TEMP%\WER9c75.dir00\manifest.txt
                    • %TEMP%\WER9c75.dir00\explorer.exe.mdmp
                    • %TEMP%\WER9c75.dir00\explorer.exe.hdmp

                     

                    A full list of files which are modified by this Trojan, and Registry keys which are created or modified, can be found at

                    http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Tr oj~Agent-VRC/detailed-analysis.aspx

                    - scroll down to about two-thirds of the way down the webpage to find the list.

                     

                    After running the fix from Dr Web you will need to run a Malwarebytes or a similar program to remove the traces of infection. I don't know whether Stinger would clean these traces, but you might want to give that a try first : I do know that Malwarebytes cleans this infection.

                     

                    One point to note is that the fix supplied by Dr Web seems designed only to work on the local file system. The Trojan may infect files on other drives -

                    http://www.symantec.com/connect/articles/custom-ips-block-trojangpcoder-ransom-t rojan :

                     

                    The biggest problem with this trojan is the fact that it encrypts files on fileshares.

                     

                    One of the Google forum posters has a solution if that has happened :

                    User sends extortion claim after hyjacking a server - Google Groups.png

                     

                    I hope this information is useful to you. Let us know if you manage to recover all the files and clean your system/network.

                     

                    Message was edited by: Hayton on 20/05/12 05:30:29 IST
                    • 7. Re: Malware undetectable
                      Hayton

                      I see you got tired of waiting and found the fix for yourself while I was away. I take it the "third party" was Dr Web?

                       

                      McAfee lists 14 variants of "GpCoder" but gives no clue which of the 14 this one is. Presumably the Trojan is detectable, although if it is being repeatedly modified there is always a risk that a new version will not be detected. I would expect detection of this Trojan to be included in Stinger.

                      • 8. Re: Malware undetectable
                        Hayton

                        And this thread belongs in Top Threats, so I've moved it back there.

                        • 9. Re: Malware undetectable

                          The issue we are having is, we are unable to detect the virus, We have blocked it by creating a access protection rulw but we would need to have an extr dat from Mcafee so that the files are detected and cleaned.

                          1 2 Previous Next