Follow:

 

Trojan:Win32/Kuluoz.gen!A


Trojan:Win32/Kuluoz.gen!A is a trojan that steals information. It looks for files used by the browsers Firefox and Opera that may contain user names and passwords. It also looks for document files and spreadsheets, which it packs into an archive file. It sends the browser files and the archive file to a remote server.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Kuluoz.gen!A is a trojan that steals information. It looks for files used by the browsers Firefox and Opera that may contain user names and passwords. It also looks for document files and spreadsheets, which it packs into an archive file. It sends the browser files and the archive file to a remote server.

Installation

Trojan:Win32/Kuluoz.gen!A adds the following registry entry as part of its installation process:

In subkey: HKCU\Software\hkhuiih
Sets value: "kghjgrdgf"
With data: "1"

Payload

Steals information

Trojan:Win32/Kuluoz.gen!A looks for the files "signons.sqlite", "key3.db", and "wand.dat" in the following folders:

  • %AppData%\Mozilla\Firefox\Profiles
  • %AppData%\Thunderbird\Profiles
  • %AppData%\Opera\Opera

These files are used by the browsers Firefox and Opera to store user names and passwords. If found, Trojan:Win32/Kuluoz.gen!A steals the contents.

Trojan:Win32/Kuluoz.gen!A also looks for documents files and spreadsheets that contain potentially sensitive information. It then bundles these, along with the browser files, into a randomly-named .ZIP file, and sends it to the server "everkosmo2012.ru" via port 8000.

Analysis by Tim Liu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKCU\Software\hkhuiih
    Sets value: "kghjgrdgf"
    With data: "1"


Prevention


Alert level: Severe
First detected by definition: 1.123.978.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 03, 2012
This entry was first published on: Apr 03, 2012
This entry was updated on: May 31, 2012

This threat is also detected as:
  • TR/Harvso.A (Avira)
  • Trojan.PWS.Stealer.786 (Dr.Web)
  • Win32/DataStealer.D trojan (ESET)
  • Trojan.Win32.Harvso (Ikarus)
  • TROJ_SPNR.11DT12 (Trend Micro)