Ng�y ph�t hi?n: 4/7/2008
Hi?m h?a: virus
Chi ti?t k? thu?t : Ch??ng tr�nh m� ??c Gpcode.ak n�y s? m� h�a c�c file tr�n m�y t�nh b? nhi?m ??c. ?�y l� m?t file Windows PE EXE v?i k�ch th??c 8030 byte.
C�ch th?c ho?t ??ng 7z abk abd acad arh arj ace arx asm bz bz2 bak bcb c cc cdb cdw cdr cer cgi chm cnt cpp css csv db db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbt dbm dbo dbq dbx Djvu doc dok dpr dwg dxf ebd eml eni ert fax flb frm frt frx frg gtd gz gzip gfa gfr gfd h inc igs iges jar jad Java jpg jpeg Jfif jpe js jsp hpp htm html key kwm Ldif lst lsp lzh lzw ldr man mdb mht mmf mns mnb mnu mo msb msg mxl old p12 pak pas pdf pem pfx php php3 php4 pl prf pgp prx pst pw pwa pwl pwm pm3 pm4 pm5 pm6 rar rmr rnd rtf Safe sar sig sql tar tbb tbk tdf tgz txt uue vb vcf wab xls xml
WaterLilles.jpg._CRYPT ?file m� h�a
File g?c sau ?� s? b? x�a.Your files are encrypted with RSA-1024 algorithm.
C�c file n?m trong th? m?c Program Files v� file d??i ?�y s? kh�ng ???c m� h�a:
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com
=== BEGIN ===
[key]
=== END ===C� thu?c t�nh "system" v� "hidden";
Nh? h?n 10 byte
L?n h?n 734003200 byte
Virus kh�ng t? ??ng k� b?n th�n n� trong registry h? th?ng.
H??ng d?n kh?c ph?c
Kh�i ph?c file
D??i ?�y l� c�c h??ng d?n chi ti?t v? c�ch kh�i ph?c c�c file ?� b? x�a b?ng PhotoRec:
H�y ??i ?? qu� tr�nh k?t th�c tr??c khi chuy?n sang b??c ti?p theo.
C�c t�n file c?a b?n s? tr�ng nh? d??i ?�y:
STOPGPCODE -r -i -o
v� d?: STOPGPCODE -r W:\ RECOVERED -i ?:\ -o W:\SORTED
e:\stopgpcode2.exe e:\encrypted e:\backup e:\decrypted
(QTM-Listvirus)
Khi ???c kh?i ch?y, virus n�y s? t?o m?t mutex d??i ?�y trong b? nh? ?? ?�nh d?u s? hi?n di?n c?a n� trong h? th?ng: _G_P_C_. (Mutex l� m?t c? l?p tr�nh v?n ???c s? d?ng ?? l?y v� ph�t h�nh m?t ??i t??ng).
Sau ?� s? b?t ??u qu�t li�n t?c t?t c? ??a logic ?? m� h�a c�c file trong ?�. M� h�a t?t c? file c?a ng??i d�ng b?ng c�c ?u�i m? r?ng ???c li?t k� trong b?ng d??i ?�y:
Virus n�y s? d?ng Microsoft Enhanced Cryptographic Provider v1.0 (c� trong Windows) ?? m� h�a c�c file. C�c file ???c m� h�a b?ng thu?t to�n RC4. Kh�a m� h�a sau ?� s? ???c m� h�a b?ng m?t kh�a RSA public c� ?? d�i 1024 bit n?m trong ph?n th�n c?a virus.
Thu?t to�n m� h�a RSA chia c�c kh�a m� h�a th�nh hai ki?u public v� private. Ch? c� c�c kh�a public ???c c?n thi?t ?? m� h�a c�c th�ng b�o. M?t th�ng b�o b? m� h�a ch? c� th? ???c gi?i m� b?ng kh�a private.
Virus s? t?o m?t copy m� h�a cho m?i m?t file g?c. Copy m� h�a s? gi? l?i t�n file g?c v?i ph?n _CRYPT ???c th�m v�o cu?i c?a t�n file.
V� d?:
WaterLilles.jpg ?file g?cVirus ?? l?i m?t file c� t�n "!_READ_ME_!.txt" trong m?i th? m?c c� ch?a c�c file ?� m� h�a. File n�y g?m c� nh?ng n?i dung sau:
Khi virus ?� ???c k�ch ho?t, n� s? t?o m?t file VBS ?? x�a th�n ch�nh b?n th�n virus trong m�y t�nh n?n nh�n v� t?o ra m?t MessageBox d??i ?�y hi?n th? tr�n m�n h�nh:
L�c n�y, kh�ng th? gi?i m� c�c file ?� ???c m� h�a b?i Gpcode. M?c d� v?y, b?n v?n c� th? d�ng PhotoRec ?? kh�i ph?c c�c file g?c ?� b? x�a b?i Gpcode sau khi virus ?� t?o m?t phi�n b?n m� h�a c�c file.
Ti?n �ch n�y ???c s? d?ng ?? kh�i ph?c c�c t�i li?u Microsoft Office, c�c file th?c thi, t�i li?u PDF v� TXT,... ?�y l� danh s�ch c�c ??nh d?ng file ???c h? tr?.
PhotoRec l� m?t ph?n c?a TestDisk. Phi�n b?n m?i nh?t c?a TestDisk, nh? PhotoRec c� th? t�m th?y t?i ?�y.
Ch?n ? ??a m?c ti�u ?? PhotoRec t�m ki?m c�c file v� nh?n ENTER ?? ti?p t?c:
N?u b?n c� nhi?u ? ??a trong h? th?ng, h�y th?c hi?n b??c n�y cho m?i m?t ? ??a (ngh?a l� khi kh�i ph?c c�c file t? m?t ? ??a, b?n ph?i l?p l?i qu� tr�nh nh? v?y cho ? ??a ti?p theo).
N?u ??a c� m?t v�i partition, khi ?� b?n c?n l?p l?i b??c n�y cho m?i partition.
Th? m?c g?c s? hi?n th? c�c ? ??a n�o h? th?ng c�. Ch?n ? ??a removable (ho?c network) th�ch h?p v� th? m?c m� b?n mu?n l?u c�c file ???c kh�i ph?c trong ?�. N�n ch?n ? ??a ngo�i, ngh?a l� kh�ng ch?n ? ??a tr�n m�y b? nhi?m v� c�c file x�a c� th? b? h?ng.
Tr??c khi kh�i ph?c c�c file, h�y t?o m?t th? m?c ri�ng tr�n ? ??a (v� d? "recovered") v� ch?n l?u c�c file ?� kh�i ph?c v�o th? m?c n�y, ?? tr�nh c�c l?i xu?t hi?n sau khi kh�i ph?c. Khi b?n ?� ch?n th? m?c xong, h�y nh?n "Y".
Khi ?� nh?n "Y", b?n s? th?y m?t qu� tr�nh kh�i ph?c file xu?t hi?n. Qu� tr�nh n�y c?n ??n m?t ch�t th?i gian ?? th?c hi?n.
C�c file ???c kh�i ph?c hi?n n?m trong ? ??a ngo�i c?a b?n. Khi b?n m? th? m?c c� ch?a c�c file ?� kh�i ph?c, b?n s? th?y t�n file kh�ng t??ng ?ng v?i t�n file g?c trong ? ??a c?ng c?.
?i?u n�y l� do c�ch l�m vi?c c?a PhotoRec, b?n kh�ng n�n ho?ng h?t khi g?p t�nh hu?ng n�y. Th�m v�o ?�, m?c d� ti?n �ch c� th? kh�i ph?c c�c n?i dung c?a c�c file th� n� v?n kh�ng th? thi?t l?p ???c v? tr� ban ??u c?a ch�ng.
?? ho�n t?t qu� tr�nh kh�i ph?c, ch�ng ta t?o m?t ti?n �ch mi?n ph� c� t�n g?i StopGpcode ?? ph�n lo?i v� ??t l?i t�n c�c file ?� kh�i ph?c.
Tr�n m?t m�y t�nh kh�c, download ti?n �ch Stopgpcode v� copy n� v�o ? USB.
C?m ? USB n�y v?i m�y t�nh b? ti�m nhi?m v� load Windows Command Prompt b?ng c�ch v�o START | PROGRAMS | ACCESSORIES.
Ch?n ? USB b?ng c�ch ?�nh v�o ?� k� t? ? ??a, v� d? nh? W: ch?ng h?n.
Sau ?� ch?y ti?n �ch t? d�ng l?nh b?ng c�ch ?�nh l?nh d??i ?�y:
Ti?n �ch s? x? l� to�n b? ??a v� so s�nh k�ch th??c c?a c�c file ?� m� h�a v� kh�i ph?c. Ch??ng tr�nh s? s? d?ng k�ch th??c file ?? ph�t hi?n ra v? tr� g?c v� t�n c?a file ?� ???c kh�i ph?c.
Ti?n �ch s? ph�t hi?n ?�ng t�n v� v? tr� c?a m?i file, t?o l?i c�c th? m?c g?c v� c�c t�n file b�n trong th? m?c. N?u ti?n �ch kh�ng th? ch? ra t�n file ban ??u th� file ?� s? ???c l?u v�o m?t th? m?c c� t�n "conflicted".
B?n c� th? download Stopgpcode ? ?�y.
Gi?i m� c�c file b?ng StopGpcode2
M?t s? file b? m� h�a b?i Gpcode.ak c� th? ???c gi?i m� m� kh�ng c?n s? d?ng kh�a RSA private. Ch�ng c� th? ???c gi?i m� b?ng c�c b??c th?c hi�n d??i ?�y:
T�m t?t c? c�c file m� h�a c� ph?n m? r?ng ._CRYPT t? m�y t�nh n?n nh�n v� copy ch�ng v�o trong m?t thi?t b? l?u tr? r?i trong m?t th? m?c c� t�n encrypted.
Th?c hi?n theo c�c l?nh trong ?Restoring Files? v� l?u file ?� kh�i ph?c v?i c�c t�n ?� ???c kh�i ph?c ?�ng v�o ? ??a r?i trong th? m?c c� t�n ?backup?.
So kh?p copy ?� kh�ng b? m� h�a c?a c�c file v?i phi�n b?n m� h�a trong th? m?c ?encrypted?. B?n c� th? t�m c�c phi�n b?n kh�ng m� h�a c?a c�c file trong m?t backup c?a m�nh. N?u m?t ?nh, b?n c� th? s? c� m?t copy ?? l?i tr�n th? nh? c?a camera. Th??ng th� b?n c� th? c� ???c c�c copy cho file ?� ???c m� h�a tr�n t�i nguy�n m?ng. C� c�c file b?n c?n t�m ki?m v� copy v�o th? m?c c� t�n ?backup?.
L?u �: B?n ph?i b?o ??m r?ng c�c file l?u v�o th? m?c backup ph?i c� t�n kh�c v?i trong th? m?c ?encrypted? ? m?i th? c?n ph�n bi?t ngo?i tr? ph?n m? r?ng ._CRYPT .
T?o m?t th? m?c c� t�n ?decrypted? ? n?i b?n s? l?u c�c file gi?i m�. Download c�ng c? Stopgpcode2 c� th? gi�p b?n gi?i m� c�c file n�y.
Kh?i ch?y StopGpcode2 t? nh?c l?nh (Start > Run > cmd.exe) ? b?o ??m ???ng d?n ??y ?? cho c�c th? m?c ?encrypted?, ?backup? v� ?decrypted?. Cho v� d?, n?u c�ng c? v� c�c th? m?c n?m trong th? m?c g?c c?a ? E: th� b?n c?n th?c thi nh? sau:
Khi ch??ng tr�nh th?c thi, b?n s? th?y c�ng c? b?t ??u gi?i m� c�c file c?a m�nh.
L?u �: C�ng c? c� th? kh�ng gi?i m� ???c to�n b? c�c file. Trong tr??ng h?p n�y, n� s? th�ng b�o cho b?n bi?t v?n ?? ?�.
Th�m v�o ?�, b?n kh�ng n�n test c�ng c? tr�n m�y ?o. C�c k?t qu? thu ???c tr�n m�y ?o s? kh�c r?t nhi?u so v?i tr�n c�c m�y th?c.
Đăng nhận xét