|
Gpcode.NAA Trojan encrypts PC files
|
 | This is generally present in exchange networks of P2P programs and it does not have the same characteristics of reproduction as a virus. It does not have an engine which allows it to be sent as an attachment on e-mail addresses; however it can be sent as a spam and from malicious sites on the Internet. |
Letting a Trojan like that to operate on a PC for a long time can have true negative even irreversible consequences; and in some cases it will be necessary to reinstall and the OS since it may be then only way to reestablish the control and stability of the PC. Once this Trojan is detected on the PC, it is necessary to run an antivirus, which must be constantly updated so that it can detect and eliminate the malware.
When executing for the first time, the files with the following extensions are encrypted:
.12m
.3ds
.3dx
.4ge
.4gl
.ace
.akf
.ask
.bb
.bcp
.bdb
.bh
.bib
.bsa
.cob
.col
.cpp
.cpt
.dbe
.dbf
.dbx
.dic
.dif
.dm
.dmd
.doc
.dok
.eps
.exp
.frt
.frx
.hog
.htm
.html
.htx
.ice
.icf
.ihtml
.ish
.jar
.jsp
.txt
.vp
.xcr
.xls
.xml
.zip
| The way to restore the original state of these files is to restore the system or backup functions. All shared resources of the networks and hard drives of the infected PC are registered by Gpcode.NAA to find files that may be codify. |
To avoid running it more than once in the memory, Gppcode.NAA generates a mutex or indicator object:
ENCODER_V1.1
Any file where it is one of the encrypted files will have a Readme.txt with this message
Some files are coded by RSA method.
To buy a decoder e-mail: [???]
with subject:
It modifies entries in the register to restart its operations together with Windows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
services = "[complete path and executable name]"
The following entries are created to control its activities:
HKEY_CURRENT_USER\Software\Microsoft\Sysinf
cur_not_done = [number of codified files]
Gpcode.NAA generates a file in Windows temporary folder to keep the list of files and folder with writing permission captured in the violated PC:
AUTOSAVE.IN
Read more...
|
News 
