Once installed on a computer, the trojan creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.
The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do.
An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $100–200 to an e-gold or Liberty Reserve account.
The first versions of Gpcode used a custom-written encryption routine that was easily broken.
[4][5][6] Variant Gpcode.am uses symmetric encryption, which made key recovery very easy.