You have been re-routed to the TrojanDownloader:Win32/Kuluoz.B write up because TrojanDownloader%3aWin32%2fKuluoz.B has been renamed to TrojanDownloader:Win32/Kuluoz.B


Microsoft security software detects and removes this threat.  

This trojan tries to connect your PC to a remote server to receive instructions from a hacker. A hacker can then tell the trojan to perform any number of actions, including to download and run files. We have seen this trojan download variants of the rogue security scanner Rogue:Win32/Winwebsec.

TrojanDownloader:Win32/Kuluoz.B is a member of the Kuluoz family of password stealing trojans.

What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior


This trojan might arrive as a file attached to an email sent by a hacker using a spoofed email address. We've seen this trojan being delivered as a .ZIP or .RAR archive with names similar to the following:

  • Label_Parcel_IN34-789-54UK.rar

The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:

The malware makes changes to the registry so that the malware runs each time you start your PC.


Downloads other malware

TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:

  • < site >/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0

The parameters passed by the trojan to the website vary among variants of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include,, and to mix with malicious sites to hide its traffic requests.

When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "".

Analysis by Jeong Mun


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.127.1171.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jun 01, 2012
This entry was first published on: Jun 01, 2012
This entry was updated on: Oct 14, 2013

This threat is also detected as:
  • VirTool:Win32/Injector.gen!BB (other)
  • Trojan-Dropper.Win32.Dapato.bipz (Kaspersky)
  • Mal/EncPk-AFA (Sophos)
  • Mal/Kuluoz-C (Sophos)