1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Infostealer Kenzero Activity

HTTP Infostealer Kenzero Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature monitors Infostealer.Kenzero Activity over HTTP.

Additional Information

Infostealer.Kenzero is a Trojan horse that attempts to steal information from the compromised computer and sends it to a web site that can be publicly viewed.

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]


It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]


Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/


When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube