Follow:

 

Win32/Kuluoz


Microsoft security software detects and removes this threat.

This trojan tries to steal your passwords and sensitive information. It can also download other malware onto your PC, including other variants of Win32/Kuluoz and Win32/Sirefef, and variants of rogue security software like Win32/FakeSysdef and Win32/Winwebsec.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to hack your email accounts and file transfer programs.

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Kuluoz might infect your PC through spam email that has an attachment. The emails we've seen all look different, but they usually have a ZIP archive file attachment, as in the following example messages:

The attachment is actually a copy of this trojan. When the ZIP archive is opened, it copies itself to your PC using various file names like these:

  • csrss.exe
  • urlmon.exe
  • txbalmst.exe

Note that the file names used by the trojan could be similar or exactly the same as already existing Windows system files. The trojan file will run when you start Windows.

Payload

Steals sensitive data files

Win32/Kuluoz tries to steal the following files from your PC:

  • Microsoft Word file (files with extension .doc, .docx)
  • Microsoft Excel files (files with extension .xls, .xlsx)
  • Password files for Mozilla Firefox and Thunderbird (key3.db and signons.sqlite)
  • Password file for Opera web browser (wand.dat)

The trojan packages these files into a single archive file to upload into an online storage website, like sendspace.com. Win32/Kuluoz sends the stolen data to a remote server, like office138489123.ru, where it can be accessed by hackers.

The trojan also steals saved login details from these file transfer applications and web browsers, and uploads the stolen details to a remote server, like infopepsigoood.ru:

  • Mozilla Firefox
  • Google Chrome
  • FileZilla
  • Total Commander
  • Far Manager
  • SmartFTP
  • WinSCP
  • BulletProof FTP client
  • BitKinex

Downloads arbitrary files

Win32/Kuluoz tries to connect to a remote server to report details about your PC, like the PC UID, and to retrieve commands to run. Commands could instruct the trojan to do these actions:

  • Download and run files
  • Update itself
  • Uninstall the malware

The following are examples of remote servers used by this trojan:

  • krasguatanany.ru
  • everkosmo2012.ru
  • aboutnorth2012.ru

Files downloaded by Win32/Kuluoz could be other variants of this or other malware, like:

Analysis by Shawn Wang


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Jun 05, 2012
This entry was updated on: May 18, 2014

This threat is also detected as:
No known aliases