Follow:

 

TrojanDownloader:Win32/Kuluoz


Microsoft security software detects and removes this threat.

This threat can download other malware onto your PC, including PWS:Win32/Kuluoz.gen!A, Win32/Crowti, and Win32/Zbot.

It can be installed when you open a spam email attachment.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat might arrive on your PC attached to a spam email as a .ZIP or .RAR archive. We have seen the attachment use the following file names:

  • Copy_of_Document_ID1029.zip
  • Copy_of_Document_ID1428.zip
  • Der_Gerichtsbescheid_N8991.zip
  • ET-27812432.zip
  • ET-60312972.zip
  • Note_4634_copy.zip
  • Note_9524_copy.zip
  • Pretrial-Notice_09-01-2014_N92266.zip

When the attachment is opened it installs a file that imitates a Microsoft Word or WAV file icon to %LOCALAPPDATA%. Examples of the icos used are shown below:

If you try to open this file the malware displays an error message that says the file couldn't be opened. We have seen it use the following error message:

When this message is displayed the malware is also installed using a random eight-character file name, for example:

It also changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Eight random characters>.exe", for example "ienuuuur.exe"
With data: "%LOCALAPPDATA%\<8 random characters.exe>"

Payload

Downloads other malware

This threat can download other malware onto your PC. We have seen it download and run these threats:

Connects to a remote server

It can connect to a remote server to receive instructions from a malicious hacker, including:

  • Download and run files
  • Update
  • Uninstall

We have seen it connect to the following servers:

  • 107.170.221.187
  • 110.170.30.195
  • 158.255.238.9
  • 162.13.189.52
  • 173.199.182.152
  • 193.46.84.84
  • 199.59.57.142
  • 212.129.21.210
  • 23.227.182.207

Analysis by Jayronn Bucu


Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<Eight random characters>"
    With data: "%LOCALAPPDATA%\<8 random characters.exe>"

Prevention


Alert level: Severe
First detected by definition: 1.151.849.0
Latest detected by definition: 1.191.335.0 and higher
First detected on: May 24, 2013
This entry was first published on: May 24, 2013
This entry was updated on: Nov 21, 2014

This threat is also detected as:
  • W32/Trojan.GQCL-1609 (Command)
  • Net-Worm.Win32.Aspxor.dwrw (Kaspersky)
  • TR/Crypt.ZPACK.93996 (Avira)
  • BackDoor.Kuluoz.4 (Dr.Web)
  • W32/Kryptik.CQEL!tr (Fortinet)