This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature monitors Infostealer.Kenzero Activity over HTTP.
Infostealer.Kenzero is a Trojan horse that attempts to steal information from the compromised computer and sends it to a web site that can be publicly viewed.
The malicious file typically arrives as an installation file for certain computer games.
When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp
Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg
Next it sends the screenshot to the following FTP site:
It connects to the following URLs to obtain global IP address and the host name of the infected machine:
Then, it displays a form and requests the user to fill it with the following information:
* first name
* family name
* email address
* first name in game
* family name in game
* birth date
* company name
* telephone number
* zip code
It also steals the following information from the compromised machine:
* computer name
* domain name
* OS type
Then the Trojan sends the stolen information to the following URL:
When the Trojan exits, it displays the following URL with the gathered information using default browser: