TrojanSpy:Win32/Kenzor.A is a trojan that captures and posts user entered details and specific computer details to a website. The trojan requests the user pay a fee in Japanese Yen currency to remove the user details from the webpage.
Installation
This trojan may be found on peer-to-peer networks such as Winny, which is predominantly used in Japan, and may be distributed as an installer file for an adult computer animated game for example. When run, the trojan verifies that it is connected to the Internet using the API InternetGetConnectedState. If the computer is not connected, Win32/Kenzor displays a message box containing the following message and exits:
"インターネットに接続されていません"
The message indicates the computer is "not connected to the Internet". If the computer is connected to the Internet, it performs its data collection routine (see below). During execution of the fake setup application, the user may be requested to input data such as e-mail address and other user data.
Payload
Collects user information
The trojan attempts to gather user information including computer user name, network domain name, computer (machine) name, Windows clipboard contents and other user information.
Win32/Kenzor attempts to create a directory c:\<uid> where uid is a random string of 30 alphanumeric(A-Z, a-z, 0-9) characters such as the following example:
c:\tt31vo9s0muzjffofdwjmvqqbgytst
The malware then tries to create a screen capture and save the capture as the following:
c:\<uid>\<uid>.bmp - screen capture image file
c:\<uid>\<uid>_s.bmp - smaller size screen capture image file
<MyPictures>\<uid>.bmp - screen capture image file
Example files created by the trojan:
c:\tt31vo9s0muzjffofdwjmvqqbgytst\tt31vo9s0muzjffofdwjmvqqbgytst.bmp
Sends information
The trojan attempts to upload gathered information to a website (warezer.net) and change the desktop wallpaper to the screenshot image captured by the trojan. The Internet browser is launched to the website containing the uploaded user information.
The trojan may play an embedded sound and display a message box requesting the user pay a fee in Japanese Yen currency to remove the user details from the webpage.
The trojan may delete the file folder created earlier. At the time of this writing, the website was not available or appears to have been taken offline.
Analysis by Dan Kurc
