Unfortunately, yet again we feel that we have to release another PC Surgeon security alert. There is a dangerous virus doing the rounds. It goes by the name of Gpcode.af (or similar, depending on which anti-virus company you speak to), and has the potential for massive destruction in any system infected. The specific reason for the PC Surgeon alert is the highly destructive payload this virus contains. If a machine becomes infected, the virus has the ability to encrypt many of the most useful files (pictures, documents, spreadsheets and many, many other file types (click here for full list)). Once encrypted, these files are completely unavailable to use. (in theory, they are actually OK and reside undamaged inside the encryption envelope). The infection has the following characteristics: The virus creates an encrypted copy of each original file. The encrypted copy retains the original file name, with _CRYPT being added to the end of the file name. e.g.: myphoto.jpg — original file myphoto.jpg._CRYPT — encrypted file The original file will then be deleted. The virus drops a file called "!_READ_ME_!.txt" to every directory which contains encrypted files. The file contains the following text: Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: (REMOVED BY PC SURGEON) Files located in the Program Files directory will not be encrypted. Additionally, the virus will not encrypt the following: Files with "system" and "hidden" attributes Files less than 10 bytes in size; Files larger than 734003200 bytes in size Once the virus has delivered its payload, it creates a VBS file which deletes the main body of the virus from the victim's machine, and causes a pop-up message box to be displayed informing you again: Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: (REMOVED BY PC SURGEON)This is the second iteration of the virus. The first had a shorter, poorly implemented 128bit encryption key, which was broken in a couple of days. This new one has a properly implemented 1024bit key and is much harder to crack. Kaspersky are leading other anti-virus companies in a race to try and crack the encryption key being used. They are bringing together thousands of computers worldwide in a concerted number crunching exercise. PC Surgeon's advice is to use any and all methods to avoid exposure to this infection. . In light of this advice... please be extra vigilant over the next few days. Update your antivirus. Be very careful about attachments coming from unexpected sources. If you are web surfing with JavaScript enabled, try to stay on 'the beaten track' and stick to sites you are very familiar with. The rule of thumb is: If you are not sure whether a file or a website is safe, it is probably best to avoid looking at it, at least for the next week. If you believe you have been infected by this or any other virus, please don't hesitate to get in touch. Regards, Jason Bell Director PC Surgeon UK Ltd. 01380 816629 http://www.pcsurgeon.org.uk | 
