Porn virus publishes web history of victims on the net

DorsetBoy · Apr 15, 2010, 19:34:01

http://news.bbc.co.uk/1/hi/technology/8622665.stm

QuoteA new type of malware infects PCs using file-share sites and publishes the user's net history on a public website before demanding a fee for its removal.

The Japanese trojan virus installs itself on computers using a popular file-share service called Winni, used by up to 200m people.

It targets those downloading illegal copies of games in the Hentai genre, an explicit form of anime.

Not that anyone here uses these sites but how long till it spreads elsewhere?

Rik · Apr 15, 2010, 19:35:40

Not long, Dorset. Will it be classed as an STI, I wonder?

DorsetBoy · Apr 15, 2010, 19:47:35

Quote from: Rik on Apr 15, 2010, 19:35:40
Not long, Dorset. Will it be classed as an STI, I wonder?

Possibly as 200m people have been sharing Winni.......

Rik · Apr 15, 2010, 19:51:51

Glenn · Apr 15, 2010, 20:15:49

Never heard of Winni before now.

Rik · Apr 15, 2010, 20:18:07

He was famous for Pooh.

adamr8965 · Apr 15, 2010, 20:18:34

what winnie? can you download files illegally?

Glenn · Apr 15, 2010, 20:19:15

I hope he cleaned up afterwards.

Quote from: Rik on Apr 15, 2010, 20:18:07
He was famous for Pooh.

D-Dan · Apr 15, 2010, 21:12:35

Smelly chap, then?

drummer · Apr 16, 2010, 00:09:55

It's Japanese P2P software and the Beeb have (wisely) chosen to misspell it.

DorsetBoy · Apr 16, 2010, 06:10:47

Quote from: drummer on Apr 16, 2010, 00:09:55
It's Japanese P2P software and the Beeb have (wisely) chosen to misspell it.

You are familiar with this then?

DorsetBoy · Apr 16, 2010, 07:19:20

Symantec rate this as a HIGH risk . The actual purpose is not to gain the money demanded but to get your credit card/banking details which the scammers sell on.

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23567

QuoteHTTP Infostealer Kenzero Activity
Severity: High
Description
This signature monitors Infostealer.Kenzero Activity over HTTP.
Additional Information
Infostealer.Kenzero is a Trojan horse that attempts to steal information from the compromised computer and sends it to a web site that can be publicly viewed.

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]

It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]

Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/

When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]

==========================

http://ipkitten.blogspot.com/2010/04/warning-kenzero-can-be-bad-for-your-er.html

Quote

Thursday, 15 April 2010
Warning: Kenzero can be bad for your, er, private life

Fresh from the BBC comes news of an extremely effective, if outrageously illegitimate, deterrent to some species of copyright infringement. In "Porn virus publishes web history of victims on the net" it is reported that a new type of malware has been developed which infects PCs using file-share sites and publishes the user's net history on a public website before demanding a fee for its removal. The article continues, in relevant part:
"The Japanese trojan virus installs itself on computers using a popular file-share service called Winni [which may be on its way to being a little less popular ... nb Wikipedia corrects the spelling to Winny], used by up to 200m people. It targets those downloading illegal copies of games in the Hentai genre, an explicit form of anime.
Website Yomiuri claims that 5,500 people have so far admitted to being infected [Merpel speculates as to how the infection spreads from computers to people ...]. The virus, known as Kenzero, ... [m]asquerading as a game installation screen, ... requests the PC owner's personal details. It then takes screengrabs of the user's web history and publishes it online in their name, before sending an email or pop-up screen demanding a credit card payment of 1,500 yen (£10) to "settle your violation of copyright law" and remove the webpage.

Rik · Apr 16, 2010, 08:34:06

I pity all those who will fall for this.

Inkblot · Apr 16, 2010, 09:31:10

I use Spybot Search & Destroy and update it at least weekly - in today's update the total threats checked has gone from a little under a million to almost 1.3 million, that's a huge jump!

Rik · Apr 16, 2010, 09:49:03

I tend to feel that S&D has had its day now, Inky. I prefer Super AntiSpyware and Malwarebytes. That said, yes, the number of threats keeps increasing - you wonder, at times, how much longer we'll be able to protect ourselves on the 'net.

Gary · Apr 16, 2010, 09:59:05

Quote from: Rik on Apr 16, 2010, 09:49:03
I tend to feel that S&D has had its day now, Inky. I prefer SuperantiSpyware and Malwarebytes. That said, yes, the number of threats keeps increasing - you wonder, at times, how much longer we'll be able to protect ourselves on the 'net.

Have to say SD was great in its day, but it just does not deal with Windows nasties well anymore, its detection ratings are poor, a bit like ad aware, they slipped and SA and MB are now the best free ones to get.

Inkblot · Apr 16, 2010, 10:10:16

I'm behind the times again then? I used to use ad-aware and even purchased the retail version at one time but have used Spybot for a while now, maybe it's time to change again then!

Rik · Apr 16, 2010, 10:12:51

I would certainly recommend that you do, Inky.

DorsetBoy · Apr 16, 2010, 11:27:13

The S+D hosts list can be very useful still but I find that the program itself is incapable of working correctly on Vista and Win7.

Super AntiSpyware was good at first, I was on the beta testing for that but I found that over time it seemed to miss things way too often and was very easily turned off by malware so I gave up using it.

Glenn · Apr 16, 2010, 12:21:03

Steve (D-Dan), tests them on a regular basis for a website.

Gary · Apr 16, 2010, 14:15:36

Quote from: DorsetBoy on Apr 16, 2010, 11:27:13
The S+D hosts list can be very useful still but I find that the program itself is incapable of working correctly on Vista and Win7.

Super AntiSpyware was good at first, I was on the beta testing for that but I found that over time it seemed to miss things way too often and was very easily turned off by malware so I gave up using it.

They seem to have released a few updates to help that now, I still think Cloud based programs like Prevx work well, yes paid for version is what you want, but there really is no such thing as a free dinner these days, even MS essentials or whatever it is called will only get so much, a nasty rootkit and you are done for.