Malware descriptions

Latest info on the GpCode infections

We have been investigating the source of the recent outbreak of the cyber-blackmail virus GpCode, which is on the loose in the Russian Internet.

Our research shows that the virus was spread in the following manner:

  1. As we had thought, the infection stems from a mass mailing. The first mailing was conducted on May 26, 2006, when several thousand Russian users received an email with this text:
    Hello <recipient name>!

    We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time.

    If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.

    Sincerely,
    Viktor Pavlov
    HR manager

    [the above is a translation from the Russian]

    The attached file is a MS word .doc file named anketa.doc [anketa is the Russian for application form – translator’s note]. Actually, this file contained Trojan-Dropper.MSWord.Tored.a.

  2. Once the recipient opened the .doc file, a malicious macro installed another Trojan into the local system – Trojan-Downloader.Win32.Small.crb.
  3. This is the Trojan that then loaded GpCode onto the local machine from a URL – [skip].msk.ru/services.txt.

The author of GpCode conducted similar mass mailings over several days. She also changed the variants of GpCode that were being downloaded from this URL.

Kaspersky Lab is currently working on closing this site down.

Latest info on the GpCode infections

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox