Follow:

You have been re-routed to the TrojanDownloader:Win32/Kuluoz.D write up because TrojanDownloader%3aWin32%2fKuluoz.D has been renamed to TrojanDownloader:Win32/Kuluoz.D
 

TrojanDownloader:Win32/Kuluoz.D


Microsoft security software detects and removes this threat.

This trojan downloads other malware onto your PC. It also opens a text file to try and fool you into thinking it's harmless.

There is more information about this type of threat in the Win32/Kuluoz family description.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

TrojanDownloader:Win32/Kuluoz.D uses the legitimate Windows file svchost.exe to drop a copy of itself into the %APPDATA% folder using a random 8-character file name.

It then creates a registry entry that lets it run automatically every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<8 random characters>"
With data: "%APPDATA%\<8 random characters.exe>"

It installs a text file to try and mislead you into thinking that it's a harmless file rather than malware. It then automatically opens this text file. The contents might look like this:

Payload

Downloads other malware

 TrojanDownloader:Win32/Kuluoz.D can download other malware onto your PC. We have seen it download and run these threats:

Connects to a remote server

Win32/Kuluoz.D connects to a remote server to receive further instructions, including:

  • Download and run files
  • Update
  • Uninstall

We have seen it connect to these servers, although this list can change:

  • 70.32.79.44
  • 91.208.144.158
  • 168.188.15.221
  • 184.106.191.157
  • 188.122.72.112
  • 220.67.211.23

Analysis by Daniel Radu


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<8 random characters>"
    With data: "%APPDATA%\<8 random characters.exe>"

Prevention


Alert level: Severe
First detected by definition: 1.129.1344.0
Latest detected by definition: 1.185.1744.0 and higher
First detected on: Jul 10, 2012
This entry was first published on: Jan 06, 2014
This entry was updated on: Sep 10, 2014

This threat is also detected as:
No known aliases