1.024 Bit Encrypting Malware Rendered Useless by Freeware Tool

A freeware file recovery tool is more than enough to render useless an otherwise unbreakable piece of malware which is designed to encrypt files on compromised computers with a RSA 1.024 bits algorithm, and hold them captive until the user agrees to pay the attacker for the decrypting tool. Detected as Win32/Gpcode.G by Microsoft, Trojan.Gpcoder by Symantec and Gpcode.ak by Kaspersky, the malicious code is a ransom-ware Trojan. Kaspersky Labs acknowledged that breaking the actual encryption is not possible, but that with a 71.2 KB freeware application dubbed StopGpcode, all the encrypted files can be recovered without problems.

"The trojan encrypts all user files (for example, with extensions .txt, .doc, .jpg, .pdf, .chm, .htm, .cpp, .h amongst others) on the infected computer. The encrypted files are saved by appending '_crypt' to the original file name whilst the original files are permanently deleted," informed Dan Nicolescu, from the Microsoft Malware Protection Center.

This is precisely the weak point of the Gpcode trojan. This, because the files deleted can be successfully recovered provided that the hard drive has not been modified since the infection. Russian-based antivirus maker Kaspersky identified a possible solution in the free PhotoRec utility, built by Christophe Grenier. For the time being, the utility delivered by Kaspersky does indeed provide a solution to recovering encrypted files from compromised computers, but end users should take precaution measures because the 1.024 bits encryption algorithm is virtually unbreakable due to the financial resources and time factors that would be involved in the decrypting process.

"The PhotoRec utility performs the function of recovering files on a selected partition remarkably well. However, restoring the exact file names and paths remains a problem. To address this issue, Kaspersky Lab has developed a small free utility, StopGpcode (ZIP file, 71.2 KB), which restores original file names and the full paths of the files recovered," a member of the Kaspersky Labs noted.

Kaspersky StopGpcode is available for download here.