Home / malware Trojan:Win32/Gpcode.I
First posted on 26 January 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Gpcode.I is also known as W32/Trojan2.JYIG (Authentium (Command)), Trojan.Winlock.412 (Dr.Web), Win32/LockScreen.CS (ESET), Trojan-Ransom (Ikarus), Trojan-Ransom.Win32.SMSer.qm (Kaspersky), W32/Malware.JQUS (Norman), TROJ_RANSOM.GL (Trend Micro), Trojan.SMSer.OW (VirusBuster), Win32/RansomSMS.AH (CA).
Explanation :
Trojan:Win32/Gpcode.I is a trojan that disables the network device and also displays a message in Russian that indicates use of the Internet has been blocked. The trojan requests that the user send an "unlock" code via a charge SMS message to restore Internet usage.
Top
Trojan:Win32/Gpcode.I is a trojan that disables the network device and also displays a message in Russian that indicates use of the Internet has been blocked. The trojan requests that the user send an "unlock" code via a charge SMS message to restore Internet usage. InstallationThe trojan may be distributed deceptively as a useful program and installed manually by a computer user. When run, the trojan modifies the registry to execute the malware from its current location. Modifies value: "Userinit" With data: "<system folder>\userinit.exe,<path and file name of Trojan:Win32/Gpcode.I>" In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon When Windows is started next, the trojan activates its payload. Payload Disables network deviceTrojan:Win32/Gpcode.I disables the network device to block Internet access. The trojan monitors attempts to re-enable the device and disables it if re-enabled. Displays graphicWhen Windows starts, the user may see the following desktop graphic (text in Russian): The approximate translation of the message above is the following: Internet access is restricted due to
unlicensed usage of uFast Download Manager. You have to activate your copy 04:10 The time displayed is a countdown timer. The remainder of the message requests the user send an SMS message with the specific code to the listed number and that a return message will contain an "activate code". Use of SMS to send the message could incur phone fees or tolls. When the timer reaches 0, the message minimizes to the system tray. Disables Task ManagerThe trojan disables use of the Windows utility Task Manager to prevent termination of the trojan process by the user. Attempts to use Task Manager result in the following error message:
Analysis by Cristian CraioveanuLast update 26 January 2010
