From Total Malware Info
I've recently reversed Virus.Win32.Gpcode.ak binary EXE and found that encryption scheme was the following:
1. Virus imports an open RSA key from its EXE by a call to CryptImportKey(using Microsoft Enhanced Cryptographic Provider library).
2. Then it generates first RC4 key, i'll name it RC4key_1.
3. Then virus exports generated RC4key_1 with CryptExportKey api using previously imported open RSA key(RC4key_1 is encrypted by RSA1024 using open key) and after that it writes the exported key to readme.txt file together with bad news, then imported RSA key is destroyed by CryptDestroyKey.
4. After that virus searches hdd for files to encrypt and acts as following:
- 4.1 Generates a sequence of 16 pseudo-random bytes(taken from system timer), i'll name it RND;
- 4.2 Those 16 bytes are then crypted by RC4 algorithm using RC4_key1.
- 4.3 Crypted RND sequence is then hashed by SHA1 hash-function.
- 4.4 A second RC4 key(I'll name it RC4_key2) is generated using CryptDeriveKey api, the computed SHA1 hash of RND is used as base data to derive then key. After key is derived, hash is destroyed immediately.
- 4.5 The victim file is crypted by RC4 algorithm using derived RC4_key2. Virus writes 16 bytes of RND to the resulting file followed by encrypted file content. Resulting file has _CRYPT extension, original file is then deleted using DeleteFile api call.
- 4.6 RC4_key2 is destroyed.
- 4.7 Steps 4.1-4.5 are repeated for every file to be crypted.
The problem is somehow obtain RC4_key1, so we can use it to crypt "RND", stored in every file using RC4, then hash it with SHA1, derive the decryption key and save the world.
Vitaly Kiktenko aka Kick10