Firstly, thanks to someone, (you know who you are) for the huge pack of samples concerning cryptovirus related to Gpcode :)
Here a simple Xorist, i will not detail it because it's relatively easy to understand the code.
Anyway here is some pics from the debugger
GetDrive and Xor:
And drop a txt as usual: Прочти Меня - как расшифровать файлы.txt
But if it just do a XOR that mean files can be recovered if we open it again :)...
Concerning the file When all files are Xored, it just do an ExitProcess, no autodestruction
Let's open it again.
This time it does an ExitProcess due to a comparison (for avoid a double 'XOR')
When patched and run... you guess it, files are back :)
Some variants who change the wallpaper:
See also ~ xddd.66ghz.com and the 4B XOR Ransomware