Virus Gpcode.ak v� c�ch di?t

Ng�y ph�t hi?n: 4/7/2008

Hi?m h?a: virus

Chi ti?t k? thu?t : Ch??ng tr�nh m� ??c Gpcode.ak n�y s? m� h�a c�c file tr�n m�y t�nh b? nhi?m ??c. ?�y l� m?t file Windows PE EXE v?i k�ch th??c 8030 byte.



C�ch th?c ho?t ??ng



Khi ???c kh?i ch?y, virus n�y s? t?o m?t mutex d??i ?�y trong b? nh? ?? ?�nh d?u s? hi?n di?n c?a n� trong h? th?ng: _G_P_C_. (Mutex l� m?t c? l?p tr�nh v?n ???c s? d?ng ?? l?y v� ph�t h�nh m?t ??i t??ng).
Sau ?� s? b?t ??u qu�t li�n t?c t?t c? ??a logic ?? m� h�a c�c file trong ?�. M� h�a t?t c? file c?a ng??i d�ng b?ng c�c ?u�i m? r?ng ???c li?t k� trong b?ng d??i ?�y:





































7z abk abd acad
arh arj ace arx
asm bz bz2 bak
bcb c cc cdb
cdw cdr cer cgi
chm cnt cpp css
csv db db1 db2
db3 db4 dba dbb
dbc dbd dbe dbf
dbt dbm dbo dbq
dbx Djvu doc dok
dpr dwg dxf ebd
eml eni ert fax
flb frm frt frx
frg gtd gz gzip
gfa gfr gfd h
inc igs iges jar
jad Java jpg jpeg
Jfif jpe js jsp
hpp htm html key
kwm Ldif lst lsp
lzh lzw ldr man
mdb mht mmf mns
mnb mnu mo msb
msg mxl old p12
pak pas pdf pem
pfx php php3 php4
pl prf pgp prx
pst pw pwa pwl
pwm pm3 pm4 pm5
pm6 rar rmr rnd
rtf Safe sar sig
sql tar tbb tbk
tdf tgz txt uue
vb vcf wab xls
xml
Virus n�y s? d?ng Microsoft Enhanced Cryptographic Provider v1.0 (c� trong Windows) ?? m� h�a c�c file. C�c file ???c m� h�a b?ng thu?t to�n RC4. Kh�a m� h�a sau ?� s? ???c m� h�a b?ng m?t kh�a RSA public c� ?? d�i 1024 bit n?m trong ph?n th�n c?a virus.
Thu?t to�n m� h�a RSA chia c�c kh�a m� h�a th�nh hai ki?u public v� private. Ch? c� c�c kh�a public ???c c?n thi?t ?? m� h�a c�c th�ng b�o. M?t th�ng b�o b? m� h�a ch? c� th? ???c gi?i m� b?ng kh�a private.
Virus s? t?o m?t copy m� h�a cho m?i m?t file g?c. Copy m� h�a s? gi? l?i t�n file g?c v?i ph?n _CRYPT ???c th�m v�o cu?i c?a t�n file. 
V� d?:
WaterLilles.jpg ?file g?c

WaterLilles.jpg._CRYPT ?file m� h�a



File g?c sau ?� s? b? x�a.

Virus ?? l?i m?t file c� t�n "!_READ_ME_!.txt" trong m?i th? m?c c� ch?a c�c file ?� m� h�a. File n�y g?m c� nh?ng n?i dung sau:
Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: [censored]@yahoo.com



=== BEGIN ===

[key]

=== END ===
C�c file n?m trong th? m?c Program Files v� file d??i ?�y s? kh�ng ???c m� h�a:

C� thu?c t�nh "system" v� "hidden";

Nh? h?n 10 byte

L?n h?n 734003200 byte
Khi virus ?� ???c k�ch ho?t, n� s? t?o m?t file VBS ?? x�a th�n ch�nh b?n th�n virus trong m�y t�nh n?n nh�n v� t?o ra m?t MessageBox d??i ?�y hi?n th? tr�n m�n h�nh:


Virus kh�ng t? ??ng k� b?n th�n n� trong registry h? th?ng.



H??ng d?n kh?c ph?c



Kh�i ph?c file

L�c n�y, kh�ng th? gi?i m� c�c file ?� ???c m� h�a b?i Gpcode. M?c d� v?y, b?n v?n c� th? d�ng PhotoRec ?? kh�i ph?c c�c file g?c ?� b? x�a b?i Gpcode sau khi virus ?� t?o m?t phi�n b?n m� h�a c�c file.
Ti?n �ch n�y ???c s? d?ng ?? kh�i ph?c c�c t�i li?u Microsoft Office, c�c file th?c thi, t�i li?u PDF v� TXT,... ?�y l� danh s�ch c�c ??nh d?ng file ???c h? tr?.
PhotoRec l� m?t ph?n c?a TestDisk. Phi�n b?n m?i nh?t c?a TestDisk, nh? PhotoRec c� th? t�m th?y t?i ?�y.



D??i ?�y l� c�c h??ng d?n chi ti?t v? c�ch kh�i ph?c c�c file ?� b? x�a b?ng PhotoRec:
  • S? d?ng m?t m�y t�nh s?ch kh�c ?? download TestDisk, g?m c� PhotoRec.

  • L?u PhotoRec v�o m?t ? ??a ngo�i v� k?t n?i ? ??a n�y v?i m�y t�nh b? ti�m nhi?m (Gpcode.ak kh�ng th? l�y nhi?m v� t? x�a sau khi kh?i ch?y)

  • Ch?y PhotoRec (file photorec_win.exe v� n?m trong th? m?c win c?a TestDisk):





  • Ch?n ? ??a m?c ti�u ?? PhotoRec t�m ki?m c�c file v� nh?n ENTER ?? ti?p t?c:

 
N?u b?n c� nhi?u ? ??a trong h? th?ng, h�y th?c hi?n b??c n�y cho m?i m?t ? ??a (ngh?a l� khi kh�i ph?c c�c file t? m?t ? ??a, b?n ph?i l?p l?i qu� tr�nh nh? v?y cho ? ??a ti?p theo).
  • Ch?n ki?u b?ng partition (?i?n h�nh l� 'Intel') v� nh?n ENTER ?? ti?p t?c.

  • Ch?n partition b?n mu?n kh�i ph?c c�c file v� nh?n ENTER ?? ti?p t?c.

 
N?u ??a c� m?t v�i partition, khi ?� b?n c?n l?p l?i b??c n�y cho m?i partition.
  • Ch?n ki?u h? th?ng file (v?i ng??i d�ng Windows n�n ch?n 'Other') v� nh?n ENTER ?? ti?p t?c.

  • Ch?n v? tr� ?? t�m ki?m c�c file b? x�a v� nh?n ENTER ?? ti?p t?c. Ch?n ?Whole? ?? t�m ki?m to�n b? ? ??a ?? t�m ra c�c file b? x�a.

  • PhotoRec s? y�u c?u b?n ch? ??nh m?t th? m?c ?�ch cho c�c file ???c kh�i ph?c. S? d?ng tr�nh duy?t file c?a PhotoRec ?? chuy?n th? m?c g?c (b?ng c�ch ch?n ".." v� nh?n ENTER)

Th? m?c g?c s? hi?n th? c�c ? ??a n�o h? th?ng c�. Ch?n ? ??a removable (ho?c network) th�ch h?p v� th? m?c m� b?n mu?n l?u c�c file ???c kh�i ph?c trong ?�. N�n ch?n ? ??a ngo�i, ngh?a l� kh�ng ch?n ? ??a tr�n m�y b? nhi?m v� c�c file x�a c� th? b? h?ng.
Tr??c khi kh�i ph?c c�c file, h�y t?o m?t th? m?c ri�ng tr�n ? ??a (v� d? "recovered") v� ch?n l?u c�c file ?� kh�i ph?c v�o th? m?c n�y, ?? tr�nh c�c l?i xu?t hi?n sau khi kh�i ph?c. Khi b?n ?� ch?n th? m?c xong, h�y nh?n "Y".
 
Khi ?� nh?n "Y", b?n s? th?y m?t qu� tr�nh kh�i ph?c file xu?t hi?n. Qu� tr�nh n�y c?n ??n m?t ch�t th?i gian ?? th?c hi?n.
 


H�y ??i ?? qu� tr�nh k?t th�c tr??c khi chuy?n sang b??c ti?p theo.





  • C�c file ???c kh�i ph?c hi?n n?m trong ? ??a ngo�i c?a b?n. Khi b?n m? th? m?c c� ch?a c�c file ?� kh�i ph?c, b?n s? th?y t�n file kh�ng t??ng ?ng v?i t�n file g?c trong ? ??a c?ng c?.

C�c t�n file c?a b?n s? tr�ng nh? d??i ?�y:



 
?i?u n�y l� do c�ch l�m vi?c c?a PhotoRec, b?n kh�ng n�n ho?ng h?t khi g?p t�nh hu?ng n�y. Th�m v�o ?�, m?c d� ti?n �ch c� th? kh�i ph?c c�c n?i dung c?a c�c file th� n� v?n kh�ng th? thi?t l?p ???c v? tr� ban ??u c?a ch�ng.
?? ho�n t?t qu� tr�nh kh�i ph?c, ch�ng ta t?o m?t ti?n �ch mi?n ph� c� t�n g?i StopGpcode ?? ph�n lo?i v� ??t l?i t�n c�c file ?� kh�i ph?c.




  • Tr�n m?t m�y t�nh kh�c, download ti?n �ch Stopgpcode v� copy n� v�o ? USB.





  • C?m ? USB n�y v?i m�y t�nh b? ti�m nhi?m v� load Windows Command Prompt b?ng c�ch v�o START | PROGRAMS | ACCESSORIES.





  • Ch?n ? USB b?ng c�ch ?�nh v�o ?� k� t? ? ??a, v� d? nh? W: ch?ng h?n.





  • Sau ?� ch?y ti?n �ch t? d�ng l?nh b?ng c�ch ?�nh l?nh d??i ?�y:

    STOPGPCODE -r -i -o

    v� d?: STOPGPCODE -r W:\ RECOVERED -i ?:\ -o W:\SORTED

 
Ti?n �ch s? x? l� to�n b? ??a v� so s�nh k�ch th??c c?a c�c file ?� m� h�a v� kh�i ph?c. Ch??ng tr�nh s? s? d?ng k�ch th??c file ?? ph�t hi?n ra v? tr� g?c v� t�n c?a file ?� ???c kh�i ph?c.
Ti?n �ch s? ph�t hi?n ?�ng t�n v� v? tr� c?a m?i file, t?o l?i c�c th? m?c g?c v� c�c t�n file b�n trong th? m?c. N?u ti?n �ch kh�ng th? ch? ra t�n file ban ??u th� file ?� s? ???c l?u v�o m?t th? m?c c� t�n "conflicted".
 
B?n c� th? download Stopgpcode ? ?�y.
Gi?i m� c�c file b?ng StopGpcode2
M?t s? file b? m� h�a b?i Gpcode.ak c� th? ???c gi?i m� m� kh�ng c?n s? d?ng kh�a RSA private. Ch�ng c� th? ???c gi?i m� b?ng c�c b??c th?c hi�n d??i ?�y:




  • T�m t?t c? c�c file m� h�a c� ph?n m? r?ng ._CRYPT t? m�y t�nh n?n nh�n v� copy ch�ng v�o trong m?t thi?t b? l?u tr? r?i trong m?t th? m?c c� t�n encrypted.





  • Th?c hi?n theo c�c l?nh trong ?Restoring Files? v� l?u file ?� kh�i ph?c v?i c�c t�n ?� ???c kh�i ph?c ?�ng v�o ? ??a r?i trong th? m?c c� t�n ?backup?.





  • So kh?p copy ?� kh�ng b? m� h�a c?a c�c file v?i phi�n b?n m� h�a trong th? m?c ?encrypted?. B?n c� th? t�m c�c phi�n b?n kh�ng m� h�a c?a c�c file trong m?t backup c?a m�nh. N?u m?t ?nh, b?n c� th? s? c� m?t copy ?? l?i tr�n th? nh? c?a camera. Th??ng th� b?n c� th? c� ???c c�c copy cho file ?� ???c m� h�a tr�n t�i nguy�n m?ng. C� c�c file b?n c?n t�m ki?m v� copy v�o th? m?c c� t�n ?backup?.

L?u �: B?n ph?i b?o ??m r?ng c�c file l?u v�o th? m?c backup ph?i c� t�n kh�c v?i trong th? m?c ?encrypted? ? m?i th? c?n ph�n bi?t ngo?i tr? ph?n m? r?ng ._CRYPT .




  • T?o m?t th? m?c c� t�n ?decrypted? ? n?i b?n s? l?u c�c file gi?i m�. Download c�ng c? Stopgpcode2 c� th? gi�p b?n gi?i m� c�c file n�y.





  • Kh?i ch?y StopGpcode2 t? nh?c l?nh (Start > Run > cmd.exe) ? b?o ??m ???ng d?n ??y ?? cho c�c th? m?c ?encrypted?, ?backup? v� ?decrypted?. Cho v� d?, n?u c�ng c? v� c�c th? m?c n?m trong th? m?c g?c c?a ? E: th� b?n c?n th?c thi nh? sau:

    e:\stopgpcode2.exe e:\encrypted e:\backup e:\decrypted

Khi ch??ng tr�nh th?c thi, b?n s? th?y c�ng c? b?t ??u gi?i m� c�c file c?a m�nh.
  • Sau khi ho�n t?t vi?c gi?i m�, n� s? hi?n th? m?t th�ng b�o ?� th?c hi?n xong ?Done?. L�c n�y b?n c� th? m? th? m?c ?decrypted? v� ki?m tra c�c file n�o c�ng c? c� th? gi?i m�.

 
L?u �: C�ng c? c� th? kh�ng gi?i m� ???c to�n b? c�c file. Trong tr??ng h?p n�y, n� s? th�ng b�o cho b?n bi?t v?n ?? ?�.
Th�m v�o ?�, b?n kh�ng n�n test c�ng c? tr�n m�y ?o. C�c k?t qu? thu ???c tr�n m�y ?o s? kh�c r?t nhi?u so v?i tr�n c�c m�y th?c.


(QTM-Listvirus)

This entry was posted on 01:43 and is filed under , , .Follow any comments here with the RSS 2.0 . You can leave a response so that we can know your suggestion.
0 Responses to "Virus Gpcode.ak v� c�ch di?t"

Đăng nhận xét