We have been investigating the source of the recent outbreak of the cyber-blackmail virus GpCode, which is on the loose in the Russian Internet.
Our research shows that the virus was spread in the following manner:
- As we had thought, the infection stems from a mass mailing. The first mailing was conducted on May 26, 2006, when several thousand Russian users received an email with this text:
Hello <recipient name>![the above is a translation from the Russian]
We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time.
If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.
The attached file is a MS word .doc file named anketa.doc [anketa is the Russian for application form – translator’s note]. Actually, this file contained Trojan-Dropper.MSWord.Tored.a.
- Once the recipient opened the .doc file, a malicious macro installed another Trojan into the local system – Trojan-Downloader.Win32.Small.crb.
- This is the Trojan that then loaded GpCode onto the local machine from a URL – [skip].msk.ru/services.txt.
The author of GpCode conducted similar mass mailings over several days. She also changed the variants of GpCode that were being downloaded from this URL.
Kaspersky Lab is currently working on closing this site down.