Follow:

You have been re-routed to the TrojanDownloader:Win32/Kuluoz.B write up because TrojanDownloader%253aWin32%252fKuluoz.B has been renamed to TrojanDownloader:Win32/Kuluoz.B
 

TrojanDownloader:Win32/Kuluoz.B


Microsoft security software detects and removes this threat.  

This trojan tries to connect your PC to a remote server to receive instructions from a malicious hacker. The hacker can then tell the trojan to perform any number of actions, including to download and run files. We have seen this trojan download variants of the rogue security scanner Rogue:Win32/Winwebsec.

There is more information in the Win32/Kuluoz family description.



What to do now

Use the following free Microsoft software to detect and remove this threat: 

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This trojan might arrive as a file attached to an email sent by a hacker using a spoofed email address. We've seen this trojan being delivered as a .ZIP or .RAR archive with names similar to the following:

  • FedEx_Label_ID_Order_83-27-4534US.zip
  • IRSPROFILE.zip
  • Label_Parcel_IN34-789-54UK.rar
  • Label_US.6366NT.zip
  • Postetikett_Deutsche_Post_AG_DE482456.zip'
  • Print_Label_FedEx_AN173738US.zip
  • Ticket_AA_Air_ID186-178US.zip
  • Ticket_Delta_Air_Lines_US9760.zip

The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:

The malware makes changes to the registry so that the malware runs each time you start your PC.

Payload

Downloads other malware

TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:

  • < site >/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0

The parameters passed by the trojan to the website vary among variants of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.

When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".

Analysis by Jeong Mun


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.127.1171.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jun 01, 2012
This entry was first published on: Jun 01, 2012
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • VirTool:Win32/Injector.gen!BB (other)
  • Trojan-Dropper.Win32.Dapato.bipz (Kaspersky)
  • Mal/EncPk-AFA (Sophos)
  • Mal/Kuluoz-C (Sophos)