Win32/Kuluoz might infect your PC through spam email that has an attachment.
Here is a preview of the Kuluoz infection chain at the time of analysis:
The emails we've seen all look different, but they usually have a ZIP archive file attachment, as in the following example messages:
The attachment is actually a copy of this trojan. When the ZIP archive is opened, it copies itself to your PC using various file names like these:
Note that the file names used by the trojan could be similar or exactly the same as already existing Windows system files. The trojan file will run when you start Windows.
Steals sensitive data files
Win32/Kuluoz tries to steal the following files from your PC:
Microsoft Word file (files with extension .doc, .docx)
Microsoft Excel files (files with extension .xls, .xlsx)
- Password files for Mozilla Firefox and Thunderbird (key3.db and signons.sqlite)
- Password file for Opera web browser (wand.dat)
The trojan packages these files into a single archive file to upload into an online storage website, like sendspace.com. Win32/Kuluoz sends the stolen data to a remote server, like office138489123.ru, where it can be accessed by hackers.
The trojan also steals saved login details from these file transfer applications and web browsers, and uploads the stolen details to a remote server, like infopepsigoood.ru:
BulletProof FTP client
Downloads arbitrary files
Win32/Kuluoz tries to connect to a remote server to report details about your PC, like the PC UID, and to retrieve commands to run. Commands could instruct the trojan to do these actions:
- Download and run files
- Update itself
- Uninstall the malware
The following are examples of remote servers used by this trojan:
Files downloaded by Win32/Kuluoz could be other variants of this or other malware, such as:
Analysis by Shawn Wang