This is a Trojan program that encrypts files via a legitimate cryptographic tool, named GPG, using BAT scripts. The Trojan penetrates a system with the use of JS.Downloader.300 downloader, which is distributed via mass spam mailings.
The Trojan is a more sophisticated version of BAT.Encoder.2. This modification is mainly distinguished from the predecessor by the fact that the master key is located in the .bat file.
Once the malware is launched, it creates the %temp%\crypta.bin file in order to prevent repeated launch of its own copy. When the malware finishes encryption, it removes this file from the system. Next, the Trojan extracts the public part of its master key, generates a GPG key pair (pubring.gpg and secring.gpg) and saves it to the %temp% folder. After that, it encrypts the private part of the session key to the KEY.PRIVATE file. Thereafter, the Trojan sends its copies to all email addresses found on the infected computer.
For session key encryption, the Trojan uses a key with the ID equal to A3CE7DBE. All encrypted files have an additional extension — keybtc@gmail_com.
In general, files encrypted with BAT.Encoder.23 cannot be decrypted without the private part of the used master key. However, if the master key is known, it is usually possible to perform their decryption.