weakness of the gpCode


Before you start reading, you should view these links:


Maybe you have heard about this virus?
It’s very, very dangerous and ‘annoying’(huh) virus.
It codes all your files(pics, music, docs and other) with very strong algorythm, so you can’t get those files back forever.
There are 2 versions of this viruses:

  1. Old one, detects by CIS (i’ve got this sample),
  2. New one, which is probably also detects by CIS, but

so, what?
As you can see in the future it can be new versions of GPCode.
When it’s infected your system - all you important files lose.
Cis should(have to) be able to prevent this horrible proceder.
Because now it doesn’t, i made a test few days ago.
With this configuration:


(paranoid mode, proactive security, sandbox set on untrusted) GPCode let in the system and destroy(coded) all files :frowning: This simulation shows that you can lose all your files, when CIS AV doesn’t detect this(for eg. new version of virus, or other virus which codes you files).

I test also Online armor - and it passed the test - GPCode couldn’t get list of the files, so… it couldn’t code nothing. It’s great, that OA can prevent destroy your data, and i hope that you are fix it. For example(like OA) Comodo should gives alert, when something want to get the list of the files, isn’t it? Like OA does.
Or when you have a better solution - i hope you add it to CIS.



Uff… sorry for my chaotic language, mistakes and i hope that you will understand.

P.S To Comodo staff: When you will want to get a sample of this virus i’ve got the old one.
BTW i post about this problem on MRG board, and PM to umesh ;).

Does latest Kaspersky prevent this?

how can I protect myself against this then?

that is really really bad i hope comodo can fix this.

Yes it does, and i’m sure CIS also detects this virus, but… Defense + can’t stop this.

Take it easy :wink:

I know you tested with maximum settings, but did you test on default?
Also, were there any prompts and what did you answer them? :-TU

2. New one, which is probably also detects by CIS, but
Because now it doesn't, i made a test few days ago

Things can’t be in the same time black and white: “is probably also detects” (sic) or “because now it doesn’t”?

As you can see in the future it can be new versions of GPCode.
For example(like OA) Comodo should gives alert,
As far as i am aware, no one can predict the future. We can't talk of wind and suppositions: in order to infirm or confirm what you say, the only way seems either to link to online security tests stating how the said malware is treated by various security softwares, either to provide a POC so that everyone is able to know what you are speaking of.

I think, that on deafult settings it will be the same.
I also tested it with disabled sandbox - CIS fails.

There weren’t any prompt, alerts etc :frowning:
I looked at the event log - none.


"Because now it doesn’t, i made a test few days ago’
Sorry,i meant ‘Because now defense+ doesn’t, i made a test few days ago’

But Comodo AV which is up to date - does.

At least it’s detected…
But still I would like to wait from Mods/Languy and their opinion on this… :-TU

Calm down people :slight_smile:

I’ll say it again
1.The old version of this virusb[/b] is detects - you are safe!
2.The newest version of this virusb[/b] - i’m pretty sure that is also detects - you are safe!

This big deal it’s about that D+&sandbox can’t prevent this ;).

[attachment deleted by admin]

You saved my day ;D this is something that comodo has to work on. to make the HIPS 100 or dam near :slight_smile:


Which virtual machine did you use to test this?

Yes, it must be fixed. Defence plus must block it just like OA.

I didn’t use virtual machine >:-D
Just Shadow Defender + I took snapshot with CTM.

Any infos/update on this from dev reg. D+ Handling?


Defense+ should prevent that if docs are added to “protected files/folders” under D+ settings, e.g. “C:\Documents and Settings\User\My documents*

Yep but who adds all movies, pics and other files to that section? >:-D

Me, so what?

That’s great, but 99% users don’t :slight_smile: