Follow:

You have been re-routed to the TrojanDownloader:Win32/Kuluoz.A write up because TrojanDownloader%3aWin32%2fKuluoz.A has been renamed to TrojanDownloader:Win32/Kuluoz.A
 

TrojanDownloader:Win32/Kuluoz.A


TrojanDownloader:Win32/Kuluoz.A is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Trojan:Win32/FakeSysdef, a rogue security scanner.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

TrojanDownloader:Win32/Kuluoz.A is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Trojan:Win32/FakeSysdef, a rogue security scanner.

Installation

This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. The file attachment may be named "Label_Parcel_USPS_ID.45-123-14.zip", or similar, with an embedded file containing the same name, such as "Label_Parcel_USPS_ID.45-123-14.exe". If the trojan is run, it creates a copy of itself as the following:

  • %APPDATA%\csrss.exe

It modifies your system registry to run the trojan copy when you start Windows, as in the following example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Name"
To data: ""%AppData%\csrss.exe""

Trojan:Win32/Kuluoz.A injects its payload into the process "svchost.exe".

Payload

Communicates with a remote server

Trojan:Win32/Kuluoz.A tries to connect your computer with a remote host named "everkosmo2012.ru". Once connected, the trojan reports its installation using a unique value "machine UID" and may also receive commands from the server that could instruct the trojan to perform the following actions:

  • Download and execute files
  • Update the trojan
  • Uninstall the trojan

This trojan has been observed to download and execute a rogue security scanner, detected as Trojan:Win32/FakeSysdef, from a website named "objectifplateau.com".

Analysis by Shawn Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware on your computer:

  • The presence of the following file:
    %APPDATA%\csrss.exe
  • The presence of the following registry modifications:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Name"
    To data: ""%AppData%\csrss.exe""
 

Prevention


Alert level: Severe
First detected by definition: 1.125.146.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 20, 2012
This entry was first published on: Apr 20, 2012
This entry was updated on: May 22, 2012

This threat is also detected as:
  • W32/Trojan3.DLI (Command)
  • TR/Drop.Dapato.axrl (Avira)
  • Gen:Variant.Barys.961 (BitDefender)
  • Trojan.Fakealert.30029 (Dr.Web)
  • Win32/TrojanDownloader.Zortob.A (ESET)
  • Trojan-Dropper.Win32.Dapato.axrl (Kaspersky)
  • Downloader-CTH (McAfee)
  • VirTool:Win32/Injector.gen!BB (other)
  • Troj/Bredo-VW (Sophos)
  • Trojan.Smoaler (Symantec)
  • TROJ_KRYPTIK.LJC (Trend Micro)